diff options
| author | Silvino <silvino@bk.ru> | 2019-06-16 05:03:49 +0100 |
|---|---|---|
| committer | Silvino <silvino@bk.ru> | 2019-06-16 05:03:49 +0100 |
| commit | 951a8a84411da6b71cee11d8c9feb993b984acf5 (patch) | |
| tree | 321c716724f139b604fe1b4ecbdd198b8f58fff6 /core/apparmor.html | |
| parent | caf14bbeab74235c8d6574beb8b3ad2b55aef667 (diff) | |
| download | doc-951a8a84411da6b71cee11d8c9feb993b984acf5.tar.gz | |
apparmor and hardening revision
Diffstat (limited to 'core/apparmor.html')
| -rw-r--r-- | core/apparmor.html | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/core/apparmor.html b/core/apparmor.html index 0052a68..8b7a30c 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -109,6 +109,35 @@ <h3 id="auto_profiles">Create profile with audit</h3> + <p>Tools use log as a source to build profiles, it is + necessary to disable log rate limit;</p> + + <pre> + # sysctl -w kernel.printk_ratelimit=0 + </pre> + + <p>Start aa-genprof;</p> + + <pre> + $ sudo aa-genprof /usr/bin/lynx + </pre> + + <p>Execute application with all common application options + and parts;</p> + + <P>After initial automatic configuration enable profile in + complain mode. Use aa-logprof when rules need to be adapted.</p> + + <pre> + # aa-logprof + </pre> + + <p>Once profile rules become well defined enable profile in + enforce mode with aa-enforce;</p> + + <p>Monitor logs with aa-notify;</a> + + <h3 id="man_profiles">Create profile manually</h3> <p>To create a new profile, let's say for lynx, @@ -136,8 +165,6 @@ } </pre> - - <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. Copyright (C) 2019 |