User Tools

Site Tools


модуль_apparmor

This is an old revision of the document!


Модуль AppArmor

Установка

Включение/Выключение

# mkdir /etc/default/grub.d

# cat /etc/default/grub.d/apparmor.cfg
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"
# update-grub

# init 6

Debian/Ubuntu

# apt install apparmor

# aa-status

Определение наличия и правка профилей для служб

# ps axZ      # apt install clamav-daemon

# find /etc/apparmor.d/

# cat /etc/apparmor.d/usr.sbin.clamd
...
  /disk2/ rw,
  /disk2/** krw,
...

# apt install apparmor-utils

# aa-unconfined

# apt install apparmor-profiles

# find /etc/apparmor.d/

Создание профиля "вручную"

# ldd /bin/bash

# ldd /bin/cat

# ldd /usr/bin/file

# man file

# cat /etc/apparmor.d/usr.local.sbin.webd
/usr/local/sbin/webd {

  network inet stream,

  /usr/local/sbin/webd r,
#  /usr/bin/bash ix,
  /usr/bin/cat ix,
  /usr/bin/file ix,
  /etc/magic r,
  /usr/share/file/magic.mgc r,
  /usr/lib/file/magic.mgc r,

  /var/www/** r,

  /usr/lib/x86_64-linux-gnu/libtinfo* mr,
  /usr/lib/x86_64-linux-gnu/libdl* mr,
  /usr/lib/x86_64-linux-gnu/libc* mr,
  /usr/lib/x86_64-linux-gnu/libz* mr,
  /usr/lib/x86_64-linux-gnu/libmagic* mr,

}

Включение/выключение профиля

# aa-complain /usr/local/sbin/webd

# aa-status

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-enforce /usr/local/sbin/webd

# tail -f /var/log/audit/audit.log | grep usr.local.sbin.webd

# aa-disable /usr/local/sbin/webd

Создание и включение профиля утилитой aa-genprof

# aa-genprof /usr/local/sbin/webd
...
#https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928160
debian10# touch /etc/apparmor.d/local/...dovecot...
...

# cat /etc/apparmor.d/usr.local.sbin.webd
...
  /var/www/* r,
}
# service apparmor restart
модуль_apparmor.1605077979.txt.gz · Last modified: 2020/11/11 09:59 by val