User Tools

Site Tools


модуль_apparmor

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
модуль_apparmor [2020/07/15 15:32]
val [Определение наличия профилей для служб]
модуль_apparmor [2023/09/08 13:16] (current)
val [Определение наличия и правка профилей для служб]
Line 7: Line 7:
 ===== Установка ===== ===== Установка =====
  
-==== Debian 9 ====+==== Включение/​Выключение ​====
  
-  * [[https://​wiki.debian.org/​AppArmor/​HowToUse|AppArmor HowToUse]]+  ​* В Debian 10 включен по умолчанию 
 +  ​* [[https://​wiki.debian.org/​AppArmor/​HowToUse|debian ​AppArmor HowToUse]] 
 +  * [[https://​help.ubuntu.com/​community/​AppArmor|ubuntu AppArmor]]
  
 +=== Debian 11 (enable) ===
 <​code>​ <​code>​
 # mkdir /​etc/​default/​grub.d # mkdir /​etc/​default/​grub.d
Line 17: Line 20:
 </​code><​code>​ </​code><​code>​
 GRUB_CMDLINE_LINUX_DEFAULT="​$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"​ GRUB_CMDLINE_LINUX_DEFAULT="​$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"​
 +</​code>​
 +
 +=== Ubuntu 20/22 (disable) ===
 +<​code>​
 +# cat /​etc/​default/​grub
 +</​code><​code>​
 +...
 +GRUB_CMDLINE_LINUX="​... apparmor=0"​
 +...
 </​code><​code>​ </​code><​code>​
 # update-grub # update-grub
Line 29: Line 41:
 </​code>​ </​code>​
  
-===== Определение наличия профилей для служб =====+===== Определение наличия ​и правка ​профилей для служб =====
 <​code>​ <​code>​
-debian# apt install ​bind9+# ps axZ      ​# apt install ​clamav-daemon
  
-ps axZ+find /​etc/​apparmor.d/​ 
 + 
 +# cat /​etc/​apparmor.d/​usr.sbin.clamd 
 +</​code><​code>​ 
 +... 
 +  /disk2/ rw, 
 +  /disk2/** krw, 
 +   
 +  /​var/​CommuniGate/​ rw, 
 +  /​var/​CommuniGate/​** krw, 
 +... 
 +</​code><​code>​ 
 +# cat /​etc/​apparmor.d/​local/​usr.sbin.dhcpd 
 +</​code><​code>​ 
 +  /**/dhcp/ r, 
 +  /**/dhcp/** r, 
 +</​code>​ 
 +или 
 +<​code>​ 
 +# rm /​etc/​apparmor.d/​usr.sbin.dhcpd 
 +</​code><​code>​ 
 +# init 6
  
 # apt install apparmor-utils # apt install apparmor-utils
Line 40: Line 73:
  
 # apt install apparmor-profiles # apt install apparmor-profiles
 +
 +# less /​usr/​share/​apparmor/​extra-profiles/​README
  
 # find /​etc/​apparmor.d/​ # find /​etc/​apparmor.d/​
 </​code>​ </​code>​
  
-===== Временное отключение и включение обратно ===== 
-<​code>​ 
-# service apparmor teardown 
  
-# service apparmor restart +
-</​code>​+
  
 ===== Создание профиля "​вручную"​ ===== ===== Создание профиля "​вручную"​ =====
Line 69: Line 100:
  
   /​usr/​local/​sbin/​webd r,   /​usr/​local/​sbin/​webd r,
-#  /bin/bash ix, +#  ​/usr/bin/bash ix, 
-  /bin/cat ix,+  ​/usr/bin/cat ix,
   /​usr/​bin/​file ix,   /​usr/​bin/​file ix,
   /etc/magic r,   /etc/magic r,
Line 78: Line 109:
   /var/www/** r,   /var/www/** r,
  
-###For i386 Debian/Ubuntu +  ​/usr/lib/x86_64-linux-gnu/​libtinfo* mr, 
-#  ​/lib/i386-linux-gnu/​libz* mr, +  /​usr/​lib/​x86_64-linux-gnu/​libdl* mr, 
-#  /lib/i386-linux-gnu/​libtinfo* mr, +  /usr/​lib/​x86_64-linux-gnu/​libc* mr, 
-#  /​lib/​i386-linux-gnu/​libdl* mr, +  ​/usr/​lib/​x86_64-linux-gnu/​libz* mr, 
-#  /​lib/​i386-linux-gnu/​libc* mr, +  /​usr/​lib/​x86_64-linux-gnu/​libmagic* mr,
- /usr/​lib/​libmagic* mr, +
-   +
-###For x86_64 Debian/​Ubintu  +
-#  ​/​lib/​x86_64-linux-gnu/​libtinfo* mr, +
- /lib/​x86_64-linux-gnu/​libdl* mr, +
-#  ​/​lib/​x86_64-linux-gnu/​libc* mr, +
- /​lib/​x86_64-linux-gnu/​libz* mr, +
- /​usr/​lib/​x86_64-linux-gnu/​libmagic* mr,+
  
 } }
Line 100: Line 123:
 # aa-complain /​usr/​local/​sbin/​webd # aa-complain /​usr/​local/​sbin/​webd
  
-find /etc/apparmor.d/ | grep webd+aa-status 
 + 
 +# tail -f /var/log/audit/​audit.log ​| grep usr.local.sbin.webd
  
 # aa-enforce /​usr/​local/​sbin/​webd # aa-enforce /​usr/​local/​sbin/​webd
- 
-# tail -f /​var/​log/​syslog | grep usr.local.sbin.webd 
  
 # tail -f /​var/​log/​audit/​audit.log | grep usr.local.sbin.webd # tail -f /​var/​log/​audit/​audit.log | grep usr.local.sbin.webd
Line 117: Line 140:
 <​code>​ <​code>​
 # aa-genprof /​usr/​local/​sbin/​webd # aa-genprof /​usr/​local/​sbin/​webd
 +...
 +#​https://​bugs.debian.org/​cgi-bin/​bugreport.cgi?​bug=928160
 +debian10# touch /​etc/​apparmor.d/​local/​...dovecot...
 ... ...
  
 # cat /​etc/​apparmor.d/​usr.local.sbin.webd # cat /​etc/​apparmor.d/​usr.local.sbin.webd
-</​code><​code>​ +...
-# Last Modified: Fri Mar 30 06:29:37 2012 +
-#include <​tunables/​global>​ +
- +
-/​usr/​local/​sbin/​webd { +
-  #include <​abstractions/​base>​ +
-  #include <​abstractions/​bash>​ +
-  #include <​abstractions/​apache2-common>​ +
- +
-  /​usr/​local/​sbin/​webd r, +
-  /bin/bash ix, +
-  /bin/cat rix, +
-  /etc/magic r, +
-  /​usr/​bin/​file rix, +
-  /​usr/​share/​file/​magic.mgc r,+
   /var/www/* r,   /var/www/* r,
 } }
модуль_apparmor.1594816372.txt.gz · Last modified: 2020/07/15 15:32 by val