AppArmor secures Web servers and e-mail and instant-messaging systems against network-based attacks from hackers, Trojans and viruses. AppArmor, which Novell acquired when it bought Portland, Ore.-based security vendor Immunix last May, is now shipping with SUSE Linux 10.0, Novell's community Linux distribution and Novell's SUSE Linux Enterprise Server 9 Service Pack 3.
Novell plans to release a public beta version of SUSE Linux Enterprise Server 10 next month.
SUSE, a distant second in the enterprise Linux market behind the offerings of Raleigh, N.C.-based Red Hat, actually turns off security features installed in the current Linux kernel via the open-source Security Enhanced Linux, or SELinux. Created by the National Security Agency, SELinux has a mandatory access control system that lets developers and administrators fine-tune access rights. SELinux has been integrated into the core Linux kernel since 2004, with Version 2.6.
Charles Ungashick, Novell's director of product marketing, said AppArmor can scale to multiple machines and is easier to administer than SELinux. 'With SELinux, you have to write a lot of low-level code at the lowest level of the OS,' he said. 'It is difficult for mere mortals to implement.'
Not so, says Frank Mayer, chief technology officer at Tresys Technology LLC, a Columbia, Md.-based consulting firm that has contributed heavily to the SELinux code. He said that the current version of Red Hat's Linux includes SELinux-based security tools with easy-to-use graphical user interfaces.
'The glory of SELinux is that it can scale to any level, up or down,' Mayer said.
Developers for AppArmor, which will be available via a GNU General Public License, will be able to download code and exchange enhancements at Opensuse.org and Novell Forge. Ungashick said he hopes that developers will take AppArmor and create versions that work on non-SUSE flavors of Linux. He also predicted that developers could contribute templates and profiles that could be used by security managers to easily customize security settings -- an approach hailed by Gordon Haff, an analyst at Nashua, N.H.-based Illuminata Inc.
'Generally, you need a critical mass of developers to get all the benefits of open-source,' said Haff. 'But profiles are chunkable. They are actually the kind of a thing that an individual can more easily get involved in. With monolithic projects like OpenOffice, it can be hard for some individuals to find a worthwhile part to work on.'
Making AppArmor's code freely available doesn't necessarily make it easier for hackers to find holes in Linux, said Haff, who had not been briefed by Novell on its plans. 'Attacks aren't done by analyzing source code, they are usually based on script-driven penetration.'