AppArmor : Create Profiles : aa-autodep2024/06/18 |
|
Create a profile for a program with [aa-autodep] command. The different point from [aa-genprof] is that [aa-autodep] creates an empty profile and finish at once, and then target program is entered in [complain] mode control. |
|
| [1] | For example, create a profile for Samba with [aa-autodep] command. |
|
# create a profile for Samba root@dlp:~# aa-autodep /usr/sbin/smbd Writing updated profile for /usr/sbin/smbd. # it is entered in [complain] mode root@dlp:~# aa-status ..... ..... 3 processes are unconfined but have a profile defined. /usr/sbin/smbd (8492) /usr/sbin/smbd (8496) /usr/sbin/smbd (8497) ..... ..... # after this, it needs to learn required operations in [complain] mode # for large scale application like Samba, it needs to learn many required operations # in logs for a long time, maybe in a few months # set policy for each unauthorized action in logs step by step root@dlp:~# aa-logprof Updating AppArmor profiles in /etc/apparmor.d. Reading log entries from /var/log/syslog. Complain-mode changes: Profile: /usr/sbin/smbd Path: /var/log/samba/log.smbd New Mode: owner w Severity: 8 [1 - include <abstractions/samba>] 2 - owner /var/log/samba/log.smbd w, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish Adding include <abstractions/samba> to profile. Profile: /usr/sbin/smbd Network Family: netlink Socket Type: raw [1 - include <abstractions/nameservice>] 2 - network netlink raw, (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish ..... ..... # if profile is completed finally, move to [enforce] mode to protect target app root@dlp:~# aa-enforce /usr/sbin/smbd |
| [2] | By the way, it uses Samba as an example to create a profile with [aa-autodep] on here, though, however some profiles are provided as a package for well known and often used applications like Samba. |
|
root@dlp:~#
root@dlp:~# apt -y install apparmor-profiles dpkg -L apparmor-profiles /. /etc /etc/apparmor.d /etc/apparmor.d/apache2.d /etc/apparmor.d/apache2.d/phpsysinfo /etc/apparmor.d/bin.ping /etc/apparmor.d/local /etc/apparmor.d/php-fpm /etc/apparmor.d/samba-bgqd /etc/apparmor.d/samba-dcerpcd /etc/apparmor.d/samba-rpcd /etc/apparmor.d/samba-rpcd-classic /etc/apparmor.d/samba-rpcd-spoolss /etc/apparmor.d/sbin.klogd /etc/apparmor.d/sbin.syslog-ng /etc/apparmor.d/sbin.syslogd /etc/apparmor.d/usr.sbin.avahi-daemon /etc/apparmor.d/usr.sbin.dnsmasq /etc/apparmor.d/usr.sbin.identd /etc/apparmor.d/usr.sbin.mdnsd /etc/apparmor.d/usr.sbin.nmbd /etc/apparmor.d/usr.sbin.nscd /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/usr.sbin.smbldap-useradd /etc/apparmor.d/usr.sbin.traceroute /usr /usr/share /usr/share/apparmor /usr/share/apparmor/extra-profiles ..... .....root@dlp:~# aa-status 135 profiles are loaded. 45 profiles are in enforce mode. /usr/bin/man /usr/bin/node /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper avahi-daemon dnsmasq dnsmasq//libvirt_leaseshelper identd klogd lsb_release man_filter man_groff mdnsd nmbd nscd nvidia_modprobe nvidia_modprobe//kmod php-fpm ping ..... ..... |
| Sponsored Link |