search

small070 / Ubuntu

0 stars 0 forks source link

Use Apparmor #6

Open small070 opened 11 months ago

small070 commented 11 months ago

Enable Apparmor Onboot

vi /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT=" ... apparmor=1 security=apparmor" update-grub

reboot

Checking Apparmor status

aa-status

apparmor module is loaded. 72 profiles are loaded. 36 profiles are in enforce mode. /sbin/dhclient /usr/bin/irssi /usr/bin/lxc-start ...

找出未有 Profile 看管的 Proccess

status: enforced, complain, unconfined

complaining / learning mode (其實就是同一種 MODE,只是名稱不一樣)

會檢測到違反定義好的策略,准許違規行為並且記錄 Log

Enforced / Confined (其實就是同一種 MODE,只是名稱不一樣)

強制執行定義好的策略,不准許違規行為並且會記錄 Log

ps xZ | less

LABEL PID TTY STAT TIME COMMAND unconfined 1 ? Ss 0:05 /sbin/init ... nmbd (complain) 1318 ? Ss 0:25 /usr/sbin/nmbd --foreground --no-process-group Or

aa-unconfined

1 /lib/systemd/systemd (/sbin/init) not confined 862 /sbin/rpcbind not confined 1158 /usr/sbin/nmbd confined by 'nmbd (complain)' 1161 /usr/sbin/vsftpd not confined 1201 /usr/sbin/ntpd confined by '/usr/sbin/ntpd (enforce)' ...

Enable in Kernel config parameter

CONFIG_DEFAULT_SECURITY CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE CONFIG_DEFAULT_SECURITY_APPARMOR Compiling the Kernel with Apparmor

CONFIG_SECURITY_APPARMOR=y CONFIG_AUDIT=y Apparmor as the default security module

*grep CONFIG_DEFAULT_SECURITY= /boot/config-

CONFIG_DEFAULT_SECURITY="apparmor" OR CONFIG_DEFAULT_SECURITY="selinux"**

AppArmor to be enabled or disabled at boot.

*_grep CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE /boot/config-_**

CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 *_grep CONFIG_DEFAULT_SECURITY_APPARMOR /boot/config-_**

CONFIG_DEFAULT_SECURITY_APPARMOR=y

LSM

A list of the active security modules

The capability module will always be first, followed by any "minor" modules (e.g. Yama) and then the one "major" module (e.g. SELinux) if there is one configured.

cat /sys/kernel/security/lsm

capability,yama,apparmor

Profiles 的作用

Profile 定義了一個 application 可以存取那裡的 files 及它可以做什麼

而限制分為

  1. Complaining/Learning
  2. Enforced/Confined

Profile types

  1. Standard profiles attached to a program by its name (so a profile name must match the path to the application)

/usr/bin/foo { ... }

  1. Unattached profiles Unattached profiles are never used automatically

profile /usr/bin/foo { ... }

  1. Local profiles /parent/profile { ... profile /local/profile { ... } }

查看現在情況

aa-status

apparmor module is loaded. 35 profiles are loaded. 12 profiles are in enforce mode. /sbin/dhclient /usr/bin/lxc-start /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/chromium-browser/chromium-browser//browser_java .............. 23 profiles are in complain mode. /bin/ping /sbin/klogd /sbin/syslog-ng 97 processes have profiles defined. 97 processes are in enforce mode. /usr/bin/lxc-start (2826) /usr/bin/lxc-start (3528) /usr/bin/lxc-start (30836) /usr/sbin/libvirtd (13285) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.

套用限制到一個 program

complain:

將一個 application (i.e. ping) 的 profile 設定成 complain mode

aa-complain /path/to/bin

把所有 profile 設定成 complain mode

aa-complain /etc/apparmor.d/*

enforce:

aa-enforce /path/to/bin

File permission access modes

combinations of the following modes

  1. r Read mode
  2. w Write mode
  3. px Discrete profile execute mode
  4. Px Discrete profile execute mode—clean exec
  5. ux Unconstrained execute mode
  6. Ux Unconstrained execute mode—clean exec
  7. ix Inherit execute mode
  8. m Allow PROT_EXEC with mmap(2) calls (memory map as executable)
  9. l Link mode
  10. k file locking

PS : Link mode

The link mode mediates access to hard links. When a link is created, the target file must have the same access permissions as the link created

small070 commented 10 months ago

complaining / learning mode (其實就是同一種 MODE,只是名稱不一樣) 會檢測到違反定義好的策略,但是准許違規行為並且記錄Log

Enforced / Confined (其實就是同一種 MODE,只是名稱不一樣) 強制執行定義好的策略,並且會記錄Log