S 4.370 Use of Anoubis under Unix

Initiation responsibility: Administrator, IT Security Officer

Implementation responsibility: User

Attacks to IT systems are often based on the misuse of access rights. The more generously such rights are granted the easier successful attacks are. In the worst case, an error in the browser or a careless setting in its configuration, for example, can give an attacker full access to all of a user's data.

As a browser is usually executed with the rights of the user, the access to data and directories, to which the attacker has write privileges, is not restricted. The basic problem is as follows: In Unix, user assignment is often based on the user, i.e. individual access rights are assigned to the users. A process executed with the user's rights has all of his/her rights. As a consequence, an executed application has significantly more rights than it would require for its actual purpose. A user has virtually no control over the access rights of the applications executed by him/her. In the case of errors in applications there is a direct threat to the confidentiality, integrity, and availability of the user data.

Anoubis is a free software for controlling applications and implementing requirements regarding the data integrity in Unix systems. For this purpose, applications and files as well as associated checksums are calculated and digitally signed. Administration and checking of the stored checksums should be carried out using the graphical user interface of Anoubis.

Use of Anoubis

As Anoubis is an individually configurable solution with numerous components, such as application level firewall, sandbox, playground and a secure file system, the administrators in charge should familiarise themselves with the possibilities provided by the solution. Once installed, Anoubis protects all Unix computers on which it is installed, initially by a default configuration. This should be adapted to the various user groups or application scenarios as needed using the Anoubis policies. In Anoubis, policies are specified centrally by the the system administrator and cannot be cancelled or bypassed by the users, but only further restricted. More detailed information on policies can be found in the installation and configuration manual of Anoubis. To be able to react to different but typical application environments in a better way, predefined profiles can be created using suitable policies. Predefined profiles make it easier for the users to select the suitable profile for the relevant application environment without having to deal with policies. For this reason, the administrators should create suitable profiles and train the users in their correct application.

Profiles can be used for laptops, for example, which are used at different locations in different networks. Depending on the environment and the requirements, specifically adapted policies are possible for the following environments:

• Office
  
  For working in the office, the profile on the laptop does not have to be particularly strict if the local network is protected by security gateways and if the user should be able to use internal services without major restrictions. In this case, access to all possible internal and selected external services are often allowed. If selected network services must be provided on the client, for example, in order to configure the laptop, the profile must be configured such that other IT systems may only access the laptop in this secure environment.
• At home
  
  There is often no external security gateway that could protect the laptop. Consequently, a profile could prohibit access from the outside and only allow certain applications to connect to the internet. For example, a profile could specify that only the browser may open HTTP connections, only the VPN client may establish connections to the internal network, and only the virus scanner may download updates.
• External network
  
  If the user wants to work in public environments, such as at an airport via WLAN, the profile used must be very restrictive. Only the browser should be allowed to establish a connection to the internet via HTTP, the e-mail client should only be allowed to connect to the mail hoster via encrypted channels (POP3s and IMAPs), and establishment of the VPN tunnel should only be allowed to the receiver in the company. All other connections should be blocked.

All the user has to do is select the suitable security profile in the user interface and he/she will then be able to meet the previously defined specifications in any environment. Basic user training is recommended to ensure that the correct profile is selected.

Controlling the applications

If access to the network or the file system is to be restricted for certain applications, corresponding rules can be generated in Anoubis for these applications. If it should not be possible for the PDF reader to automatically install updates, for example, or if it should not be possible for files to be written outside a defined file folder, a corresponding rule for an application level firewall and a sandbox can be configured which enforces these restrictions.

To ensure that no forged applications or applications containing malware are executed, such files should be provided with a digitally signed checksum. Furthermore, SFS (Secure File System) rules must be set up in Anoubis which prohibit read access and execution of modified files as well as the execution of unsigned files. As a result, the application can no longer be executed and forged configurations can no longer be read. Depending on the configuration of Anoubis, users can be warned in case of violations.

Definition and traceability of sets of rules

Anoubis can be configured using a graphical user interface. With a rule editor, sets of rules can be created and changed. In addition, sets of rules can be created for individual applications using a rule wizard. This allows even inexperienced users to create sets of rules.

A process browser displays sets of rules created or the default configuration for the relevant selected application.

Secure areas for protecting the file system

To prevent processes from being able to write in the file system, applications should be executed in secure areas ("playgrounds") intended for this purpose. If, for example, a browser is used in a playground, it does not leave any traces in the file system after the playground has been deleted.

If individual files are to be transferred from a secure area to the file system, then the user must perform this transfer deliberately in the user interface. A data transfer to the productive system should be protected by means of a virus scanner. For this purpose, suitable virus scanners have to installed and configured. In addition, the user can decide at the end of a session whether data within the secure area should be retained or deleted.

Review questions:

• Has the administrator familiarised him-/herself with all possibilities of Anoubis?
• Have suitable Anoubis policies been created for different user groups or application scenarios?
• Have the users received basic training in the use of the Anoubis profiles?
• Are the relevant applications and files that are to be protected using Anoubis provided with a signed checksum?
• Have SFS rules been configured in Anoubis that prevent access to sensitive data that do not have a valid checksum?
• Have suitable virus scanners for using the playground been installed and configured in Anoubis?