Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace:
модуль_apparmor

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
модуль_apparmor [2017/11/29 10:03]
val [Определение наличия профилей для служб] 		модуль_apparmor [2024/05/04 11:21] (current)
val [Определение наличия и правка профилей для служб]
Line 7: Line 7:
 ===== Установка ===== ===== Установка =====
  
-==== Debian ​====+==== Включение/​Выключение ​====
  
-  * [[https://​wiki.debian.org/​AppArmor/​HowToUse|AppArmor HowToUse]]+  ​* В Debian/​Ubuntu включен по умолчанию 
 +  ​* [[https://​wiki.debian.org/​AppArmor/​HowToUse|debian ​AppArmor HowToUse]] 
 +  * [[https://​help.ubuntu.com/​community/​AppArmor|ubuntu AppArmor]]
  
 +=== Debian 11 (enable) ===
 <​code>​ <​code>​
 # mkdir /​etc/​default/​grub.d # mkdir /​etc/​default/​grub.d
Line 17: Line 20:
 </​code><​code>​ </​code><​code>​
 GRUB_CMDLINE_LINUX_DEFAULT="​$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"​ GRUB_CMDLINE_LINUX_DEFAULT="​$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"​
 +</​code>​
 +
 +=== Ubuntu 20/22 (disable) ===
 +<​code>​
 +# cat /​etc/​default/​grub
 +</​code><​code>​
 +...
 +GRUB_CMDLINE_LINUX="​... apparmor=0"​
 +...
 </​code><​code>​ </​code><​code>​
 # update-grub # update-grub
Line 29: Line 41:
 </​code>​ </​code>​
  
-===== Определение наличия профилей для служб =====+===== Определение наличия ​и правка ​профилей для служб ===== 
 + 
 +  * [[Сервис Clamav]] 
 <​code>​ <​code>​
-# ps axZ+# ps axZ #| grep [c]lam 
 + 
 +# find /​etc/​apparmor.d/​ 
 + 
 +# cat /​etc/​apparmor.d/​usr.sbin.clamd 
 +</​code><​code>​ 
 +... 
 +  /disk2/ rw, 
 +  /disk2/** krw, 
 +   
 +  /​var/​CommuniGate/​ rw, 
 +  /​var/​CommuniGate/​** krw, 
 +... 
 +</​code><​code>​ 
 +# cat /​etc/​apparmor.d/​local/​usr.sbin.dhcpd 
 +</​code><​code>​ 
 +  /**/dhcp/ r, 
 +  /**/dhcp/** r, 
 +</​code>​ 
 +или 
 +<​code>​ 
 +# rm /​etc/​apparmor.d/​usr.sbin.dhcpd 
 +</​code><​code>​ 
 +# init 6
  
 # apt install apparmor-utils # apt install apparmor-utils
  
 # aa-unconfined # aa-unconfined
-</​code>​ 
  
-===== Временное отключение службы ===== +# apt install apparmor-profiles 
-<​code>​ + 
-service ​apparmor ​teardown+# less /​usr/​share/​apparmor/​extra-profiles/​README 
 + 
 +find /etc/apparmor.d/
 </​code>​ </​code>​
 +
 +
 +
  
 ===== Создание профиля "​вручную"​ ===== ===== Создание профиля "​вручную"​ =====
Line 61: Line 103:
  
   /​usr/​local/​sbin/​webd r,   /​usr/​local/​sbin/​webd r,
-#  /bin/bash ix, +#  ​/usr/bin/bash ix, 
-  /bin/cat ix,+  ​/usr/bin/cat ix,
   /​usr/​bin/​file ix,   /​usr/​bin/​file ix,
   /etc/magic r,   /etc/magic r,
   /​usr/​share/​file/​magic.mgc r,   /​usr/​share/​file/​magic.mgc r,
 +  /​usr/​lib/​file/​magic.mgc r,
  
   /var/www/** r,   /var/www/** r,
  
-###For i386 Debian/Ubuntu +  ​/usr/lib/x86_64-linux-gnu/​libtinfo* mr, 
-#  ​/lib/i386-linux-gnu/​libz* mr, +  /​usr/​lib/​x86_64-linux-gnu/​libdl* mr, 
-#  /lib/i386-linux-gnu/​libtinfo* mr, +  /usr/​lib/​x86_64-linux-gnu/​libc* mr, 
-#  /​lib/​i386-linux-gnu/​libdl* mr, +  ​/usr/​lib/​x86_64-linux-gnu/​libz* mr, 
-#  /​lib/​i386-linux-gnu/​libc* mr, +  /​usr/​lib/​x86_64-linux-gnu/​libmagic* mr,
- /usr/​lib/​libmagic* mr, +
-   +
-###For x86_64 Debian/​Ubintu  +
-#  ​/​lib/​x86_64-linux-gnu/​libtinfo* mr, +
- /lib/​x86_64-linux-gnu/​libdl* mr, +
-#  ​/​lib/​x86_64-linux-gnu/​libc* mr, +
- /​lib/​x86_64-linux-gnu/​libz* mr, +
- /​usr/​lib/​x86_64-linux-gnu/​libmagic* mr,+
  
 } }
Line 91: Line 126:
 # aa-complain /​usr/​local/​sbin/​webd # aa-complain /​usr/​local/​sbin/​webd
  
-# aa-enforce /​usr/​local/​sbin/​webd+# aa-status
  
-# tail -f /var/log/syslog ​| grep usr.local.sbin.webd+# tail -f /var/log/audit/​audit.log ​| grep usr.local.sbin.webd 
 + 
 +# aa-enforce /​usr/​local/​sbin/​webd
  
 # tail -f /​var/​log/​audit/​audit.log | grep usr.local.sbin.webd # tail -f /​var/​log/​audit/​audit.log | grep usr.local.sbin.webd
  
 # aa-disable /​usr/​local/​sbin/​webd # aa-disable /​usr/​local/​sbin/​webd
- 
-# find /​etc/​apparmor.d/​ -ls | grep webd 
 </​code>​ </​code>​
  
 ===== Создание и включение профиля утилитой aa-genprof ===== ===== Создание и включение профиля утилитой aa-genprof =====
  
-[[http://www.novell.com/documentation/apparmor/​apparmor201_sp10_admin/​data/​bx5bml8.html#​bx5bmlf]]+  * [[http://wiki.apparmor.net/index.php/Profiling_with_tools|Profiling with tools]]
  
 <​code>​ <​code>​
 # aa-genprof /​usr/​local/​sbin/​webd # aa-genprof /​usr/​local/​sbin/​webd
 +...
 +#​https://​bugs.debian.org/​cgi-bin/​bugreport.cgi?​bug=928160
 +debian10# touch /​etc/​apparmor.d/​local/​...dovecot...
 ... ...
  
 # cat /​etc/​apparmor.d/​usr.local.sbin.webd # cat /​etc/​apparmor.d/​usr.local.sbin.webd
-</​code><​code>​ +...
-# Last Modified: Fri Mar 30 06:29:37 2012 +
-#include <​tunables/​global>​ +
- +
-/​usr/​local/​sbin/​webd { +
-  #include <​abstractions/​base>​ +
-  #include <​abstractions/​bash>​ +
-  #include <​abstractions/​apache2-common>​ +
- +
-  /​usr/​local/​sbin/​webd r, +
-  /bin/bash ix, +
-  /bin/cat rix, +
-  /etc/magic r, +
-  /​usr/​bin/​file rix, +
-  /​usr/​share/​file/​magic.mgc r,+
   /var/www/* r,   /var/www/* r,
 } }
модуль_apparmor.1511938995.txt.gz · Last modified: 2017/11/29 10:03 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki