Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace: модуль_apparmor
модуль_apparmor

Table of Contents

Модуль AppArmor

Установка

Включение/Выключение

Debian 11 (enable)

# mkdir /etc/default/grub.d

# cat /etc/default/grub.d/apparmor.cfg
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"

Ubuntu 20 (disable)

# cat /etc/default/grub
...
GRUB_CMDLINE_LINUX="... apparmor=0"
...
# update-grub

# init 6

Debian/Ubuntu

# apt install apparmor

# aa-status

Определение наличия и правка профилей для служб

# ps axZ      # apt install clamav-daemon

# find /etc/apparmor.d/

# cat /etc/apparmor.d/usr.sbin.clamd
...
  /disk2/ rw,
  /disk2/** krw,
  
  /var/CommuniGate/ rw,
  /var/CommuniGate/** krw,
...
# cat /etc/apparmor.d/local/usr.sbin.dhcpd
  /**/dhcp/ r,
  /**/dhcp/** r,
# init 6

# apt install apparmor-utils

# aa-unconfined

# apt install apparmor-profiles

# less /usr/share/apparmor/extra-profiles/README

# find /etc/apparmor.d/

Создание профиля "вручную"

# ldd /bin/bash

# ldd /bin/cat

# ldd /usr/bin/file

# man file

# cat /etc/apparmor.d/usr.local.sbin.webd
/usr/local/sbin/webd {

  network inet stream,

  /usr/local/sbin/webd r,
#  /usr/bin/bash ix,
  /usr/bin/cat ix,
  /usr/bin/file ix,
  /etc/magic r,
  /usr/share/file/magic.mgc r,
  /usr/lib/file/magic.mgc r,

  /var/www/** r,

  /usr/lib/x86_64-linux-gnu/libtinfo* mr,
  /usr/lib/x86_64-linux-gnu/libdl* mr,
  /usr/lib/x86_64-linux-gnu/libc* mr,
  /usr/lib/x86_64-linux-gnu/libz* mr,
  /usr/lib/x86_64-linux-gnu/libmagic* mr,

}

Включение/выключение профиля

# aa-complain /usr/local/sbin/webd

# aa-status

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-enforce /usr/local/sbin/webd

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-disable /usr/local/sbin/webd

Создание и включение профиля утилитой aa-genprof

# aa-genprof /usr/local/sbin/webd
...
#https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928160
debian10# touch /etc/apparmor.d/local/...dovecot...
...

# cat /etc/apparmor.d/usr.local.sbin.webd
...
  /var/www/* r,
}
# service apparmor restart
модуль_apparmor.txt · Last modified: 2022/07/13 12:23 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki