Skip to Content

SLES10 AppArmor – How to create Security Profiles for SAP – Part 4

Overview of already published parts:
SLES10 AppArmor – How to create Security Profiles for SAP – Part 1
SLES10 AppArmor – How to create Security Profiles for SAP – Part 2
SLES10 AppArmor – How to create Security Profiles for SAP – Part 3
 
We are almost finished having an AppArmor security policy for an SAP J2EE server at hand. The most important executable missing (jlaunch) is started with the JC00 instance. Although it is only one instance which needs to be profiled, it may be the most challenging one. Let’s have a look at the ‘ps -axf’ output of the running JC00 instance (the jlaunch lines were shortened to fit on the page):
 

29307 ?  Ssl    0:00 /usr/sap/SID/JC00/exe/sapstartsrv pf=/usr/sap/SID/SYS/profile/START_JC00_ls3266v0 -D
29311 ?  Ss     0:00 /usr/sap/SID/JC00/exe/sapstart pf=/usr/sap/SID/SYS/profile/START_JC00_ls3266v0
29322 ?  Ssl    0:00  \_ jc.sapSID_JC00 pf=/usr/sap/SID/SYS/profile/SID_JC00_ls3266v0
29399 ?  Sl     0:00  |   \_ /usr/sap/SID/JC00/exe/jlaunch pf=/usr/sap/SID/SYS/profile/SID_JC00_ls3266v0 -DSAPINFO=SID_00_dispatcher...
29400 ?  Sl     0:00  |   \_ /usr/sap/SID/JC00/exe/jlaunch pf=/usr/sap/SID/SYS/profile/SID_JC00_ls3266v0 -DSAPINFO=SID_00_server...
29401 ?  Sl     0:00  |   \_ /usr/sap/SID/JC00/exe/jlaunch pf=/usr/sap/SID/SYS/profile/SID_JC00_ls3266v0 -DSAPINFO=SID_00_sdm...
29323 ?  Ss     0:00  \_ ig.sapSID_JC00 -mode=profile pf=/usr/sap/SID/SYS/profile/SID_JC00_ls3266v0
29324 ?  Sl     0:00      \_ /usr/sap/SID/JC00/exe/igsmux_mt -mode=profile -restartcount=0 pf=/usr/sap/SID/SYS/profile/SID_JC00_ls3266v0
29325 ?  Sl     0:00      \_ /usr/sap/SID/JC00/exe/igspw_mt -mode=profile -no=0 -restartcount=0 pf=/usr/sap/SID/SYS/profile/SID_JC00_ls3266v0
29326 ?  Sl     0:00      \_ /usr/sap/SID/JC00/exe/igspw_mt -mode=profile -no=1 -restartcount=0 pf=/usr/sap/SID/SYS/profile/SID_JC00_ls3266v0

 
First of all, we need a profile for the JC00 sapstartsrv executable. Before creating one with YaST2 we simply copy the SCS01 sapstartsrv one. To do so, we copy the file /etc/apparmor.d/usr.sap.SID.SCS01.exe.sapstartsrv to /etc/apparmor.d/usr.sap.SID.JC00.exe.sapstartsrv. Open the copied file and replace all occurrences of SCS01 with JC00. We now have to reload or restart AppArmor to load the new policy. This is done by calling ‘rcapparmor reload/restart’. The JC00 AppArmor policy is now in place and the real work begins for /usr/sap/SID/JC00/exe/sapstart. We can’t simply copy the sapstart profile from the SCS01 instance. The SCS01 sapstart starts the message and enqueue server and the one from JC00 starts the jlaunch and igs processes. Therefore we have to create a new sapstart policy.
 
*sapstart – JC00 <br /> <br />To start the profiling, we first shutdown all SAP instances and stop all other SAP related binaries. We then enter /usr/sap/SID/JC00/exe/sapstart as binary to profile in the YaST2 dialog an start the whole SAP system with ‘startsap’ on the command line. We then have to wait some time until the Java deployment finished. Then I strongly suggest, that you let some users do some work on your SAP Java instance. Let the profiling run for some time and always look that the /var/log/audit/audit.log file does not get rotated. Shutdown the instance and start with the work of answering the questions from YaST2. <br /> <br />While profiling sapstart from instance JC00 we should keep the things in mind which we already did for the last profiles. <br /> <br /> inherit permissions for system executables
* generate new profile for selected SAP executables
* use abstractions when ever possible
* use wildcards to generalize access permissions
 
Profiling jcontrol and jlaunch will take a while. You have to work with wildcards to finish profiling in a reasonable time frame. After YaST2 finished all its questions, there should be several new profile files under /etc/apparmor.d. Sometimes it also happens that AppArmor does updates on exiting profiles when new entries happened during profiling. YaST2 added new permissions to these profiles:
 
usr.sap.SID.SCS01.exe.sapstart
sapmnt.SID.exe.sapcpe
 
and created these new ones:
 
usr.sap.SID.JC00.exe.sapstart
usr.sap.SID.JC00.exe.jlaunch
usr.sap.SID.JC00.exe.jcontrol
usr.sap.SID.JC00.exe.igswd_mt
usr.sap.SID.JC00.exe.igspw_mt
usr.sap.SID.JC00.exe.igsmux_mt
 
Please be careful when using a jlaunch profile in productive environments the first time. When it comes to new deployments, the installation of new support packages, updates of the J2EE stack or any user interaction, unforeseen file accesses may happen. As a result, you’ll have to profile the executable the application (mostly jlaunch for J2EE applications). When applying J2EE support packages you can easily profile jlaunch again, like you did the profiling the fist time. Use the “Add Profile Wizard”, enter the path of the executable and start profiling. There is no need to stop and start the SAP system, because the policy for starting the system is already available. When profiling an exiting application, all new files accesses will be granted. Later, when you were asked what to do, you maybe choose to allow them and the corresponding lines are added to the profile.  
 
You now have everything at hand to create AppArmor profiles for your SAP J2EE Application Server. The ABAP Application Server is much easier to handle with AppArmor, because it doesn’t perform that much file accesses then a J2EE one. I’ll now complete the list of the remaining JC00 instance executables, except sapstartsrv, which is just a copy from SCS01 with another instance name. The policies YaST2 creates the first time prevented the start up of my SAP system. So I decided to post the extended ones here, with which my SAP system was able to start. If anything is unclear, please ask. I look forward to your questions.
 
*usr.sap.SID.JC00.exe.sapstart <br /> <br /><pre># vim:syntax=apparmor <br /># Last Modified: Thu Nov 22 09:23:57 2007 <br />#include <tunables/global> <br /> <br />/usr/sap/SID/JC00/exe/sapstart { <br />  #include <abstractions/base> <br />  #include <abstractions/bash> <br />  #include <abstractions/consoles> <br />  #include <abstractions/nameservice> <br />  #include <abstractions/user-tmp> <br /> <br />  /bin/bash ixr, <br />  /bin/ln ixr, <br />  /bin/rm ixr, <br />  /home//dev_sapstart w,
  /sapmnt/SID/exe/sapcpe px,
  /sapmnt/SID/profile/* r,
  /usr/sap/SID/JC00/SDM/** r,
  /usr/sap/SID/JC00/exe/bwgis.so mr,
  /usr/sap/SID/JC00/exe/gfwchart.so mr,
  /usr/sap/SID/JC00/exe/igsmux_mt px,
  /usr/sap/SID/JC00/exe/igspw_mt mpxr,
  /usr/sap/SID/JC00/exe/igswd_mt mpxr,
  /usr/sap/SID/JC00/exe/imgconv.so mr,
  /usr/sap/SID/JC00/exe/jcontrol mpxr,
  /usr/sap/SID/JC00/exe/jlaunch px,
  /usr/sap/SID/JC00/exe/libicudata.so.* mr,
  /usr/sap/SID/JC00/exe/libicui18n.so.* mr,
  /usr/sap/SID/JC00/exe/libicuuc.so.* mr,
  /usr/sap/SID/JC00/exe/libsapu.so mr, <br />  /usr/sap/SID/JC00/exe/sapstart mr, <br />  /usr/sap/SID/JC00/exe/xmlchart.so mr, <br />  /usr/sap/SID/JC00/exe/zipper.so mr, <br />  /usr/sap/SID/JC00/igs r, <br />  /usr/sap/SID/JC00/igs/* r,
  /usr/sap/SID/JC00/igs/log/* rw,
  /usr/sap/SID/JC00/j2ee/** r,
  /usr/sap/SID/JC00/work/INSTSTAT w,
  /usr/sap/SID/JC00/work/dev_jcontrol* rw,
  /usr/sap/SID/JC00/work/dev_sapstart w,
  /usr/sap/SID/JC00/work/ig.sapSID_JC00 w,
  /usr/sap/SID/JC00/work/jc.sapSID_JC00 w,
  /usr/sap/SID/JC00/work/kill.sap w,
  /usr/sap/SID/JC00/work/sapstart.log w,
  /usr/sap/SID/JC00/work/sapstart.sem w,
  /usr/sap/SID/JC00/work/sapstart0.* w,
  /usr/sap/SID/JC00/work/sapstart1.* w,
  /usr/sap/SID/JC00/work/shutdown.sap rw,
  /usr/sap/SID/JC00/work/std* rw,

*usr.sap.SID.JC00.exe.jlaunch <br /> <br /><pre># vim:syntax=apparmor <br /># Last Modified: Thu Nov 22 11:03:03 2007 <br />#include <tunables/global> <br /> <br />/usr/sap/SID/JC00/exe/jlaunch { <br />  #include <abstractions/base> <br />  #include <abstractions/bash> <br />  #include <abstractions/consoles> <br />  #include <abstractions/nameservice> <br />  #include <abstractions/user-tmp> <br /> <br />  /bin/bash ixr, <br />  /bin/ps ixr, <br />  /etc/sysconfig/clock r, <br />  /opt/IBMJava2-amd64-142/* r,
  /opt/IBMJava2-amd64-142/jre/bin/.so mr, <br />  /opt/IBMJava2-amd64-142/jre/bin/j9vm/libjvm.so mr, <br />  /proc r, <br />  /proc//stat r,
  /proc//status r, <br />  /proc/net r, <br />  /proc/net/dev r, <br />  /proc/net/if_inet6 r, <br />  /proc/net/unix r, <br />  /proc/sys/* r,
  /proc/uptime r,
  /sapdb/programs/runtime/jar/* r,
  /sapmnt/SID/global/AdobeDocumentServices/SAP_Scenarios.sif w,
  /sapmnt/SID/global/security/data/* r,
  /sapmnt/SID/global/security/lib/** r,
  /sapmnt/SID/profile/* r,
  /sbin/ifconfig ixr,
  /usr/bin/id ixr,
  /usr/sap/SID/JC00/SDM/** r,
  /usr/sap/SID/JC00/SDM/program/.hotspot_compiler w,
  /usr/sap/SID/JC00/SDM/program/log/** rw,
  /usr/sap/SID/JC00/exe/igswd_mt r,
  /usr/sap/SID/JC00/exe/jcontrol r,
  /usr/sap/SID/JC00/exe/jlaunch mr,
  /usr/sap/SID/JC00/exe/jstartup.jar r,
  /usr/sap/SID/JC00/exe/jstartupimpl.jar r,
  /usr/sap/SID/JC00/exe/libicudata.so.* mr,
  /usr/sap/SID/JC00/exe/libicui18n.so.* mr,
  /usr/sap/SID/JC00/exe/libicuuc.so.* mr,
  /usr/sap/SID/JC00/exe/libjmon.so mr,
  /usr/sap/SID/JC00/exe/libsapu16_mt.so mr,
  /usr/sap/SID/JC00/j2ee/** rw,
  /usr/sap/SID/JC00/work r,
  /usr/sap/SID/JC00/work/CPICTRC* r,
  /usr/sap/SID/JC00/work/INSTSTAT r,
  /usr/sap/SID/JC00/work/JdbcCon.log r,
  /usr/sap/SID/JC00/work/available.log r,
  /usr/sap/SID/JC00/work/dev_bootstrap* rw,
  /usr/sap/SID/JC00/work/dev_dispatcher* rw,
  /usr/sap/SID/JC00/work/dev_jcmon* r,
  /usr/sap/SID/JC00/work/dev_jcontrol* r,
  /usr/sap/SID/JC00/work/dev_sapstart r,
  /usr/sap/SID/JC00/work/dev_sdm* rw,
  /usr/sap/SID/JC00/work/dev_server0* rw,
  /usr/sap/SID/JC00/work/dev_tp* r,
  /usr/sap/SID/JC00/work/jvm_bootstrap* rw,
  /usr/sap/SID/JC00/work/jvm_dispatcher* rw,
  /usr/sap/SID/JC00/work/jvm_sdm* rw,
  /usr/sap/SID/JC00/work/jvm_server0* rw,
  /usr/sap/SID/JC00/work/kill.sap r,
  /usr/sap/SID/JC00/work/log_bootstrap* rw,
  /usr/sap/SID/JC00/work/sapcpe.* r,
  /usr/sap/SID/JC00/work/sapstart.log r,
  /usr/sap/SID/JC00/work/sapstart.sem r,
  /usr/sap/SID/JC00/work/sapstart0.trc r,
  /usr/sap/SID/JC00/work/sapstart1.trc r,
  /usr/sap/SID/JC00/work/sapstartsrv.log r,
  /usr/sap/SID/JC00/work/sapstartsrv.trc r,
  /usr/sap/SID/JC00/work/shutdown.sap r,
  /usr/sap/SID/JC00/work/std* r,
  /usr/sap/SID/JC00/work/std_dispatcher* rw,
  /usr/sap/SID/JC00/work/std_sdm* rw,
  /usr/sap/SID/JC00/work/std_server* rw,
  /usr/sap/ccms/SID_00/dsr/dsrports.txt rw,
  /usr/sap/ccms/SID_00/j2ee/ rw,
  /usr/sap/tmp/logmon/* w,
  /usr/sap/tmp/procmon/J2EE_SID_00_procmon.ini rw,
  /usr/share/zoneinfo r,

*usr.sap.SID.JC00.exe.jcontrol <br /> <br /><pre># vim:syntax=apparmor <br /># Last Modified: Thu Nov 22 11:03:03 2007 <br />#include <tunables/global> <br /> <br />/usr/sap/SID/JC00/exe/jcontrol { <br />  #include <abstractions/base> <br />  #include <abstractions/bash> <br />  #include <abstractions/nameservice> <br />  #include <abstractions/user-tmp> <br /> <br />  /bin/bash ixr, <br />  /bin/ps ixr, <br />  /dev/tty rw, <br />  /etc/sysconfig/clock r, <br />  /opt/IBMJava2-amd64-142/jre/* r,
  /opt/IBMJava2-amd64-142/jre/bin/.so mr, <br />  /opt/IBMJava2-amd64-142/jre/bin/j9vm/ mr,
  /proc r,
  /proc//stat r, <br />  /proc//status r,
  /proc/net r,
  /proc/net/dev r,
  /proc/net/if_inet6 r,
  /proc/net/unix r,
  /proc/sys/kernel/pid_max r,
  /proc/sys/net/core/rmem_max r,
  /proc/sys/net/core/wmem_max r,
  /proc/uptime r,
  /sapdb/programs/runtime/jar/* r,
  /sapmnt/SID/global/** r,
  /sapmnt/SID/global/AdobeDocumentServices/SAP_Scenarios.sif w,
  /sapmnt/SID/profile/* r,
  /sbin/ifconfig ixr,
  /usr/bin/id ixr,
  /usr/sap/SID/JC00/SDM/** r,
  /usr/sap/SID/JC00/exe/igswd_mt r,
  /usr/sap/SID/JC00/exe/jcontrol mr,
  /usr/sap/SID/JC00/exe/jlaunch mpxr,
  /usr/sap/SID/JC00/exe/jstartup.jar r,
  /usr/sap/SID/JC00/exe/libicudata.so.* mr,
  /usr/sap/SID/JC00/exe/libicui18n.so.* mr,
  /usr/sap/SID/JC00/exe/libicuuc.so.* mr,
  /usr/sap/SID/JC00/exe/libjmon.so mr,
  /usr/sap/SID/JC00/exe/libsapu16_mt.so mr,
  /usr/sap/SID/JC00/j2ee/** r,
  /usr/sap/SID/JC00/j2ee/cluster/server/apps/* rw,
  /usr/sap/SID/JC00/j2ee/cluster/server/jarm.log rw, <br />  /usr/sap/SID/JC00/j2ee/cluster/server/log/** rw,
  /usr/sap/SID/JC00/j2ee/cluster/server/sapjms/* rw,
  /usr/sap/SID/JC00/j2ee/cluster/server/slderror.log rw, <br />  /usr/sap/SID/JC00/j2ee/cluster/server0/temp/* rw,
  /usr/sap/SID/JC00/j2ee/os_libs/adssap/.lck rw, <br />  /usr/sap/SID/JC00/j2ee/support_platform/plugins/* rw,
  /usr/sap/SID/JC00/work r,
  /usr/sap/SID/JC00/work/* r,
  /usr/sap/SID/JC00/work/dev_jcontrol* rw,
  /usr/sap/SID/JC00/work/dev_server* rw,
  /usr/sap/SID/JC00/work/jvm_server0* rw,
  /usr/sap/SID/JC00/work/std_bootstrap* rw,
  /usr/sap/SID/JC00/work/std_dispatcher* rw,
  /usr/sap/SID/JC00/work/std_sdm* rw,
  /usr/sap/SID/JC00/work/std_server0* rw,
  /usr/sap/SID/JC00/work/stderr* w,
  /usr/sap/ccms/SID_00/dsr/dsrports.txt rw,
  /usr/sap/ccms/SID_00/j2ee/* rw,
  /usr/sap/tmp/logmon/* w,
  /usr/share/zoneinfo r,

*usr.sap.SID.JC00.exe.igswd_mt <br /> <br /><pre># vim:syntax=apparmor <br /># Last Modified: Thu Nov 22 11:03:03 2007 <br />#include <tunables/global> <br /> <br />/usr/sap/SID/JC00/exe/igswd_mt { <br />  #include <abstractions/base> <br />  #include <abstractions/nameservice> <br />  #include <abstractions/user-tmp> <br /> <br />  /sapmnt/SID/profile/ r,
  /usr/sap/SID/JC00/exe/.so mr, <br />  /usr/sap/SID/JC00/exe/igsmux_mt px, <br />  /usr/sap/SID/JC00/exe/igspw_mt ixr, <br />  /usr/sap/SID/JC00/exe/igswd_mt mr, <br />  /usr/sap/SID/JC00/igs r, <br />  /usr/sap/SID/JC00/igs/* r,
  /usr/sap/SID/JC00/igs/log/* w,
  /usr/sap/SID/JC00/work/stderr* w,
  /usr/sap/SID/JC00/work/stdout* w,

*usr.sap.SID.JC00.exe.igspw_mt <br /> <br /><pre># vim:syntax=apparmor <br /># Last Modified: Wed Nov 21 17:39:02 2007 <br />#include <tunables/global> <br /> <br />/usr/sap/SID/JC00/exe/igspw_mt { <br />  #include <abstractions/base> <br />  #include <abstractions/nameservice> <br />  #include <abstractions/user-tmp> <br /> <br />  /sapmnt/SID/profile/ r,
  /usr/sap/SID/JC00/exe/bwgis.so mr,
  /usr/sap/SID/JC00/exe/gfwchart.so mr,
  /usr/sap/SID/JC00/exe/igspw_mt mr,
  /usr/sap/SID/JC00/exe/imgconv.so mr,
  /usr/sap/SID/JC00/exe/xmlchart.so mr,
  /usr/sap/SID/JC00/exe/zipper.so mr,
  /usr/sap/SID/JC00/igs r,
  /usr/sap/SID/JC00/igs/** r,
  /usr/sap/SID/JC00/igs/log/* rw,

*usr.sap.SID.JC00.exe.igsmux_mt <br /> <br /><pre># vim:syntax=apparmor <br /># Last Modified: Wed Nov 21 17:39:02 2007 <br />#include <tunables/global> <br /> <br />/usr/sap/SID/JC00/exe/igsmux_mt { <br />  #include <abstractions/base> <br />  #include <abstractions/bash> <br />  #include <abstractions/consoles> <br />  #include <abstractions/nameservice> <br />  #include <abstractions/user-tmp> <br /> <br />  /bin/bash ixr, <br />  /bin/ps ixr, <br />  /proc r, <br />  /proc//stat r,
  /proc//status r, <br />  /proc/sys/kernel/pid_max r, <br />  /proc/uptime r, <br />  /sapmnt/SID/profile/ r,
  /usr/sap/SID/JC00/exe/igsmux_mt mr,
  /usr/sap/SID/JC00/igs r,
  /usr/sap/SID/JC00/igs/log/mux_ls3266v0.* w,
  /usr/sap/SID/JC00/work/CPICTRC* w,
  /usr/sap/SID/JC00/work/std* w,
}

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply