AppArmor : Create Profiles : aa-autodep2023/07/13 |
|
Create a profile for a program with [aa-autodep] command.
The different point from [aa-genprof] is that [aa-autodep]
creates an empty profile and finish at once, and then target program is entered in [complain] mode control.
|
|
| [1] | For example, create a profile for Samba with [aa-autodep] command. |
|
# create a profile for Samba root@dlp:~# aa-autodep /usr/sbin/smbd Writing updated profile for /usr/sbin/smbd. # it is entered in [complain] mode root@dlp:~# aa-status
apparmor module is loaded.
14 profiles are loaded.
13 profiles are in enforce mode.
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/{,usr/}sbin/dhclient
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
tcpdump
1 profiles are in complain mode.
/usr/sbin/smbd
.....
.....
# after this, it needs to learn required operations in [complain] mode # for large scale application like Samba, it needs to learn many required operations # in logs for a long time, maybe in a few months # set policy for each unauthorized action in logs step by step root@dlp:~# aa-logprof Updating AppArmor profiles in /etc/apparmor.d. Reading log entries from /var/log/syslog. Complain-mode changes: Profile: /usr/sbin/smbd Path: /var/log/samba/log.smbd New Mode: owner w Severity: 8 [1 - include <abstractions/samba>] 2 - owner /var/log/samba/log.smbd w, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish Adding include <abstractions/samba> to profile. Profile: /usr/sbin/smbd Network Family: netlink Socket Type: raw [1 - include <abstractions/nameservice>] 2 - network netlink raw, (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish Adding include <abstractions/nameservice> to profile. Enforce-mode changes: Profile: /usr/bin/node Path: /dev/ttyS0 New Mode: owner rw Severity: 9 [1 - owner /dev/ttyS0 rw,] (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish Adding owner /dev/ttyS0 rw, to profile. ..... ..... # if profile is completed finally, move to [enforce] mode to protect target app root@dlp:~# aa-enforce /usr/sbin/smbd |
| [2] | By the way, it uses Samba as an example to create a profile with [aa-autodep] on here, though, however some profiles are provided as a package for well known and often used applications like Samba. |
|
root@dlp:~#
root@dlp:~# apt -y install apparmor-profiles dpkg -L apparmor-profiles /. /etc /etc/apparmor.d /etc/apparmor.d/apache2.d /etc/apparmor.d/apache2.d/phpsysinfo /etc/apparmor.d/bin.ping /etc/apparmor.d/local /etc/apparmor.d/php-fpm /etc/apparmor.d/samba-bgqd /etc/apparmor.d/samba-dcerpcd /etc/apparmor.d/samba-rpcd /etc/apparmor.d/samba-rpcd-classic /etc/apparmor.d/samba-rpcd-spoolss /etc/apparmor.d/sbin.klogd /etc/apparmor.d/sbin.syslog-ng /etc/apparmor.d/sbin.syslogd ..... .....root@dlp:~# aa-status
apparmor module is loaded.
32 profiles are loaded.
11 profiles are in enforce mode.
/usr/bin/man
/usr/bin/node
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/{,usr/}sbin/dhclient
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
21 profiles are in complain mode.
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
identd
klogd
mdnsd
nmbd
nscd
php-fpm
ping
samba-bgqd
samba-dcerpcd
samba-rpcd
samba-rpcd-classic
samba-rpcd-spoolss
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
|
| Sponsored Link |