From 3cce527807b5597108a8c8e34547f231f700d9f9 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sat, 3 Aug 2019 01:14:06 +0100 Subject: better apparmor utilities examples --- core/apparmor.html | 116 ++++++++++++++++++++++++++++------------------------- 1 file changed, 62 insertions(+), 54 deletions(-) (limited to 'core') diff --git a/core/apparmor.html b/core/apparmor.html index ee8de54..8e057de 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -38,15 +38,15 @@ # apparmor_status -

Utilities;

+

Utilities;

-
-	aa-audit           aa-disable         aa-genprof         aa-status
-	aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
-	aa-cleanprof       aa-enabled         aa-mergeprof
-	aa-complain        aa-enforce         aa-notify
-	aa-decode          aa-exec            aa-remove-unknown
-	
+
+        aa-audit           aa-disable         aa-genprof         aa-status
+        aa-autodep         aa-easyprof        aa-logprof         aa-unconfined
+        aa-cleanprof       aa-enabled         aa-mergeprof
+        aa-complain        aa-enforce         aa-notify
+        aa-decode          aa-exec            aa-remove-unknown
+        

Profiles

@@ -64,48 +64,48 @@ apparmor_parser;

-	Usage: apparmor_parser [options] [profile]
-
-	Options:
-	--------
-	-a, --add               Add apparmor definitions [default]
-	-r, --replace           Replace apparmor definitions
-	-R, --remove            Remove apparmor definitions
-	-C, --Complain          Force the profile into complain mode
-	-B, --binary            Input is precompiled profile
-	-N, --names             Dump names of profiles in input.
-	-S, --stdout            Dump compiled profile to stdout
-	-o n, --ofile n         Write output to file n
-	-b n, --base n          Set base dir and cwd
-	-I n, --Include n       Add n to the search path
-	-f n, --subdomainfs n   Set location of apparmor filesystem
-	-m n, --match-string n  Use only features n
-	-M n, --features-file n Use only features in file n
-	-n n, --namespace n     Set Namespace for the profile
-	-X, --readimpliesX      Map profile read permissions to mr
-	-k, --show-cache        Report cache hit/miss details
-	-K, --skip-cache        Do not attempt to load or save cached profiles
-	-T, --skip-read-cache   Do not attempt to load cached profiles
-	-W, --write-cache       Save cached profile (force with -T)
-	    --skip-bad-cache    Don't clear cache if out of sync
-	    --purge-cache       Clear cache regardless of its state
-	    --debug-cache       Debug cache file checks
-	-L, --cache-loc n       Set the location of the profile cache
-	-q, --quiet             Don't emit warnings
-	-v, --verbose           Show profile names as they load
-	-Q, --skip-kernel-load  Do everything except loading into kernel
-	-V, --version           Display version info and exit
-	-d [n], --debug         Debug apparmor definitions OR [n]
-	-p, --preprocess        Dump preprocessed profile
-	-D [n], --dump          Dump internal info for debugging
-	-O [n], --Optimize      Control dfa optimizations
-	-h [cmd], --help[=cmd]  Display this text or info about cmd
-	-j n, --jobs n          Set the number of compile threads
-	--max-jobs n            Hard cap on --jobs. Default 8*cpus
-	--abort-on-error        Abort processing of profiles on first error
-	--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel
-	--warn n                Enable warnings (see --help=warn)
-	
+ Usage: apparmor_parser [options] [profile] + + Options: + -------- + -a, --add Add apparmor definitions [default] + -r, --replace Replace apparmor definitions + -R, --remove Remove apparmor definitions + -C, --Complain Force the profile into complain mode + -B, --binary Input is precompiled profile + -N, --names Dump names of profiles in input. + -S, --stdout Dump compiled profile to stdout + -o n, --ofile n Write output to file n + -b n, --base n Set base dir and cwd + -I n, --Include n Add n to the search path + -f n, --subdomainfs n Set location of apparmor filesystem + -m n, --match-string n Use only features n + -M n, --features-file n Use only features in file n + -n n, --namespace n Set Namespace for the profile + -X, --readimpliesX Map profile read permissions to mr + -k, --show-cache Report cache hit/miss details + -K, --skip-cache Do not attempt to load or save cached profiles + -T, --skip-read-cache Do not attempt to load cached profiles + -W, --write-cache Save cached profile (force with -T) + --skip-bad-cache Don't clear cache if out of sync + --purge-cache Clear cache regardless of its state + --debug-cache Debug cache file checks + -L, --cache-loc n Set the location of the profile cache + -q, --quiet Don't emit warnings + -v, --verbose Show profile names as they load + -Q, --skip-kernel-load Do everything except loading into kernel + -V, --version Display version info and exit + -d [n], --debug Debug apparmor definitions OR [n] + -p, --preprocess Dump preprocessed profile + -D [n], --dump Dump internal info for debugging + -O [n], --Optimize Control dfa optimizations + -h [cmd], --help[=cmd] Display this text or info about cmd + -j n, --jobs n Set the number of compile threads + --max-jobs n Hard cap on --jobs. Default 8*cpus + --abort-on-error Abort processing of profiles on first error + --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel + --warn n Enable warnings (see --help=warn) +

Create profile with audit

@@ -123,13 +123,11 @@

Execute application with all common application options - and parts;

- -

After initial automatic configuration enable profile in + and parts. After initial automatic configuration enable profile in complain mode. Use aa-logprof when rules need to be adapted.

-        # aa-logprof
+        # aa-logprof -f /var/log/kernel
         

Once profile rules become well defined enable profile in @@ -137,6 +135,16 @@

Monitor logs with aa-notify;

+
+        # aa-notify --file=/var/log/kernel -u username -l
+        
+ +

And keep adjusting the rules with logprof;

+ +
+        # aa-logprof -f /var/log/kernel
+        
+

Create profile manually

-- cgit 1.4.1-2-gfad0