diff options
Diffstat (limited to 'core/apparmor.html')
-rw-r--r-- | core/apparmor.html | 82 |
1 files changed, 76 insertions, 6 deletions
diff --git a/core/apparmor.html b/core/apparmor.html index 9954593..8b7a30c 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -2,16 +2,16 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.2.1. AppArmor</title> + <title>2.6.1. AppArmor</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.2.1. AppArmor</h1> + <h1>2.6.1. AppArmor</h1> <p>Check <a href="linux.html#configure">kernel configuration</a> or - use the provided with <a href="reboot.html#linux">linux-gnu</a> port + use the provided with <a href="reboot.html#linux">linux-gnu</a> port to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based on security policies. User space tools are provided by apparmor port and its dependencies, install them;</p> @@ -48,7 +48,20 @@ aa-decode aa-exec aa-remove-unknown </pre> - <p>apparmor_parser options;</p> + <h2 id="profiles">Profiles</h2> + + <p>Profiles are located at /etc/apparmor.d/ and + /usr/share/apparmor/extra-profiles contain profiles + that require testing; + + <pre> + # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/ + # sudo rm /etc/apparmor.d/README + # bash /etc/rc.d/apparmor restart + </pre> + + <p>Profiles are parsed using + apparmor_parser;</p> <pre> Usage: apparmor_parser [options] [profile] @@ -93,11 +106,68 @@ --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel --warn n Enable warnings (see --help=warn) </pre> - # + + <h3 id="auto_profiles">Create profile with audit</h3> + + <p>Tools use log as a source to build profiles, it is + necessary to disable log rate limit;</p> + + <pre> + # sysctl -w kernel.printk_ratelimit=0 + </pre> + + <p>Start aa-genprof;</p> + + <pre> + $ sudo aa-genprof /usr/bin/lynx + </pre> + + <p>Execute application with all common application options + and parts;</p> + + <P>After initial automatic configuration enable profile in + complain mode. Use aa-logprof when rules need to be adapted.</p> + + <pre> + # aa-logprof + </pre> + + <p>Once profile rules become well defined enable profile in + enforce mode with aa-enforce;</p> + + <p>Monitor logs with aa-notify;</a> + + + <h3 id="man_profiles">Create profile manually</h3> + + <p>To create a new profile, let's say for lynx, + first find where the application is;</p> + + <pre> + $ whereis lynx + lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz + </pre> + + <p>Now create a file with path to executable in + /etc/apparmor.d;</p> + + <pre> + # vim /etc/apparmor.d/usr.bin.lynx + </pre> + + <p>Create basic profile template;</p> + + <pre> + #include <tunables/global> + + profile lynx /usr/bin/lynx { + #include <abstractions/base> + } + </pre> <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> |