User Tools
модуль_apparmor
Table of Contents
Модуль AppArmor
Включение/Выключение
- В Debian/Ubuntu включен по умолчанию
# ###apt install apparmor # aa-status
Включение
# mkdir /etc/default/grub.d # cat /etc/default/grub.d/apparmor.cfg
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
Выключение
# cat /etc/default/grub
... GRUB_CMDLINE_LINUX="... apparmor=0" ...
# update-grub # init 6
Определение наличия и правка профилей для служб
# ps axZ #| grep [c]lam # find /etc/apparmor.d/ # cat /etc/apparmor.d/usr.sbin.clamd
... /disk2/ rw, /disk2/** krw, /var/CommuniGate/ rw, /var/CommuniGate/** krw, ...
# cat /etc/apparmor.d/local/usr.sbin.dhcpd
/**/dhcpd.conf r,
или
# rm /etc/apparmor.d/usr.sbin.dhcpd
# init 6 # apt install apparmor-utils # aa-unconfined # apt install apparmor-profiles # less /usr/share/apparmor/extra-profiles/README # find /etc/apparmor.d/
Создание профиля "вручную"
# ldd /bin/bash # ldd /bin/cat # ldd /usr/bin/file # man file # cat /etc/apparmor.d/usr.local.sbin.webd
/usr/local/sbin/webd {
network inet stream,
/usr/local/sbin/webd r,
# /usr/bin/bash ix,
/usr/bin/cat ix,
/usr/bin/file ix,
/etc/magic r,
/usr/share/file/magic.mgc r,
/usr/lib/file/magic.mgc r,
/var/www/** r,
/usr/lib/x86_64-linux-gnu/libtinfo* mr,
/usr/lib/x86_64-linux-gnu/libdl* mr,
/usr/lib/x86_64-linux-gnu/libc* mr,
/usr/lib/x86_64-linux-gnu/libz* mr,
/usr/lib/x86_64-linux-gnu/libmagic* mr,
}
Включение/выключение профиля
# aa-complain /usr/local/sbin/webd # aa-status # tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd # aa-enforce /usr/local/sbin/webd # tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd # aa-disable /usr/local/sbin/webd
Создание и включение профиля утилитой aa-genprof
# aa-genprof /usr/local/sbin/webd ... #https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928160 debian10# touch /etc/apparmor.d/local/...dovecot... ... # cat /etc/apparmor.d/usr.local.sbin.webd ... /var/www/* r, }
# service apparmor restart
модуль_apparmor.txt · Last modified: 2024/09/07 15:38 by val
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
