about summary refs log tree commit diff stats
path: root/core/apparmor.html
diff options
context:
space:
mode:
Diffstat (limited to 'core/apparmor.html')
-rw-r--r--core/apparmor.html82
1 files changed, 76 insertions, 6 deletions
diff --git a/core/apparmor.html b/core/apparmor.html
index 9954593..8b7a30c 100644
--- a/core/apparmor.html
+++ b/core/apparmor.html
@@ -2,16 +2,16 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.2.1. AppArmor</title>
+        <title>2.6.1. AppArmor</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1>2.2.1. AppArmor</h1>
+        <h1>2.6.1. AppArmor</h1>
 
         <p>Check <a href="linux.html#configure">kernel configuration</a> or
-        use the provided with <a href="reboot.html#linux">linux-gnu</a> port 
+        use the provided with <a href="reboot.html#linux">linux-gnu</a> port
         to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based
         on security policies. User space tools are provided by apparmor port
         and its dependencies, install them;</p>
@@ -48,7 +48,20 @@
 	aa-decode          aa-exec            aa-remove-unknown
 	</pre>
 
-	<p>apparmor_parser options;</p>
+        <h2 id="profiles">Profiles</h2>
+
+	<p>Profiles are located at /etc/apparmor.d/ and
+        /usr/share/apparmor/extra-profiles contain profiles
+        that require testing;
+
+        <pre>
+        # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/
+        # sudo rm /etc/apparmor.d/README
+        # bash /etc/rc.d/apparmor restart
+        </pre>
+
+        <p>Profiles are parsed using
+        apparmor_parser;</p>
 
         <pre>
 	Usage: apparmor_parser [options] [profile]
@@ -93,11 +106,68 @@
 	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
 	--warn n                Enable warnings (see --help=warn)
 	</pre>
-	#
+
+        <h3 id="auto_profiles">Create profile with audit</h3>
+
+        <p>Tools use log as a source to build profiles, it is
+        necessary to disable log rate limit;</p>
+
+        <pre>
+        # sysctl -w kernel.printk_ratelimit=0
+        </pre>
+
+        <p>Start aa-genprof;</p>
+
+        <pre>
+        $ sudo aa-genprof /usr/bin/lynx
+        </pre>
+
+        <p>Execute application with all common application options
+        and parts;</p>
+
+        <P>After initial automatic configuration enable profile in
+        complain mode. Use aa-logprof when rules need to be adapted.</p>
+
+        <pre>
+        # aa-logprof
+        </pre>
+
+        <p>Once profile rules become well defined enable profile in
+        enforce mode with aa-enforce;</p>
+
+        <p>Monitor logs with aa-notify;</a>
+
+
+        <h3 id="man_profiles">Create profile manually</h3>
+
+        <p>To create a new profile, let's say for lynx,
+        first find where the application is;</p>
+
+        <pre>
+        $ whereis lynx
+        lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz
+        </pre>
+
+        <p>Now create a file with path to executable in
+        /etc/apparmor.d;</p>
+
+        <pre>
+        # vim /etc/apparmor.d/usr.bin.lynx
+        </pre>
+
+        <p>Create basic profile template;</p>
+
+        <pre>
+        #include &lt;tunables/global&gt;
+
+        profile lynx /usr/bin/lynx {
+          #include &lt;abstractions/base&gt;
+        }
+        </pre>
 
         <a href="index.html">Core OS Index</a>
         <p>This is part of the Hive System Documentation.
-        Copyright (C) 2018
+        Copyright (C) 2019
         Hive Team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>