Novell Takes AppArmor Security Middleware Open Source
Published: January 17, 2006
by Timothy Prickett Morgan
Rather than support the Security Enhanced Linux (SE-Linux) kernel changes for Linux 2.6 as Red Hat and others have adopted to beef up the security of Linux and its applications, commercial Linux distributor Novell acquired a company called Immunix, which had created a kind of application security middleware that it named AppArmor. Last week, Novell took the AppArmor product open source and added it as a new project to its openSUSE community development effort for its SUSE Linux operating system.
Instead of changing the kernel and adding complexity to Linux, which is what SE-Linux does, Novell has added what is in essence a sentry to its version of Linux, which is what AppArmor is. System administrators probe for open ports using tools built into AppArmor, and define what can access these ports as well as what interactions can exist between different applications running on an instance of Linux. This is a fine enough approach for security, but it has its own complexities. For each port and each Linux-to-application and application-to-application interaction, AppArmor needs to have a profile to tell it how to behave. According to Crispin Cowan, the new SUSE Linux Enterprise Server 9 Service Pack 3 (which is covered elsewhere in this newsletter) includes AppArmor profiles for hundreds of applications, but it is a far cry from covering the thousands of applications included in a normal Linux distribution.
This is one of the reasons why Novell, which just bought AppArmor and which certainly doesn't want to have it become a competitive advantage for other Linux distributors, has decided to take the AppArmor code open source under the GNU General Public License. For AppArmor to be useful, Novell needs the Linux community to create and distribute templates, which will happen a lot quicker if AppArmor is an open source project and community members feel like they are helping the community rather than just making it easier for Novell to make money.
Cowan says that SUSE Linux Enterprise Server 10, which is expected in late May 2005 or so and based on the openSUSE project's current desktop code (formerly SUSE Linux Professional 10), will have AppArmor built in by default. AppArmor code as well as the security profiles for applications will be managed by Novell's AutoBuild system, which is a versioning system made by SUSE to create its Linux. Cowan says that for now, Novell really wants community help on security profiles and will solicit help on the code for AppArmor itself later. While the AppArmor product will be bundled into SLES 9 SP3 and SLES 10, premium support for the product costs $298 per server per year.