apparmor
AppArmor locks down programs on your Ubuntu system, allowing them only the permissions they require in normal use – particularly useful for server software that may become compromised. AppArmor includes simple tools you can use to lock down other applications.
AppArmor会锁定Ubuntu系统上的程序 ,仅授予它们正常使用所需的权限,这对于可能会受到威胁的服务器软件特别有用。 AppArmor包含可用于锁定其他应用程序的简单工具。
AppArmor is included by default in Ubuntu and some other Linux distributions. Ubuntu ships AppArmor with several profiles, but you can also create your own AppArmor profiles. AppArmor’s utilities can monitor a program’s execution and help you create a profile.
默认情况下,AppArmor包含在Ubuntu和其他一些Linux发行版中。 Ubuntu随附了带有多个配置文件的AppArmor,但是您也可以创建自己的AppArmor配置文件。 AppArmor的实用程序可以监视程序的执行并帮助您创建配置文件。
Before creating your own profile for an application, you may want to check the apparmor-profiles package in Ubuntu’s repositories to see if a profile for the application you want to confine already exists.
在为应用程序创建自己的配置文件之前,您可能需要检查Ubuntu存储库中的apparmor-profiles软件包,以查看是否要限制应用程序的配置文件。
创建并运行测试计划 (Create & Running a Test Plan)
You’ll need to run the program while AppArmor is watching it and walk through all its normal functions. Basically, you should use the program as it would be used in normal use: start the program, stop it, reload it, and use all its features. You should design a test plan that goes through the functions the program needs to perform.
您需要在AppArmor观看程序的同时运行该程序,并逐步浏览其所有正常功能。 基本上,您应该像正常使用该程序一样使用该程序:启动程序,停止它,重新加载它,并使用其所有功能。 您应该设计一个通过程序需要执行的功能的测试计划。
Before running through your test plan, launch a terminal and run the following commands to install and run aa-genprof:
在执行测试计划之前,请启动终端并运行以下命令来安装和运行aa-genprof:
sudo apt-get install apparmor-utils
sudo apt-get install apparmor-utils
sudo aa-genprof /path/to/binary
须藤aa-genprof / path / to / binary
Leave aa-genprof running in the terminal, start the program, and run through the test plan you designed above. The more comprehensive your test plan, the less problems you’ll run into later.
让aa-genprof在终端中运行,启动程序,并运行您上面设计的测试计划。 测试计划越全面,以后遇到的问题就越少。
After you’re done executing your test plan, return to the terminal and press the S key to scan the system log for AppArmor events.
完成测试计划后,返回终端并按S键以扫描系统日志中是否有AppArmor事件。
For each event, you’ll be prompted to choose an action. For example, below we can see that /usr/bin/man, which we profiled, executed /usr/bin/tbl. We can select whether /usr/bin/tbl should inherit /usr/bin/man’s security settings, whether it should run with its own AppArmor profile, or whether it should run in unconfined mode.
对于每个事件,系统都会提示您选择一个操作。 例如,下面我们可以看到我们分析过的/ usr / bin / man执行了/ usr / bin / tbl。 我们可以选择/ usr / bin / tbl是应该继承/ usr / bin / man的安全设置,还是应该使用自己的AppArmor配置文件运行,还是应该以无限制模式运行。
For some other actions, you’ll see different prompts – here we’re allowing access to /dev/tty, a device that represents the terminal
对于其他一些操作,您将看到不同的提示–在这里,我们允许访问代表终端的设备/ dev / tty。
At the end of the process, you’ll be prompted to save your new AppArmor profile.
在该过程结束时,系统将提示您保存新的AppArmor配置文件。
启用投诉模式并调整个人资料 (Enabling Complain Mode & Tweaking the Profile)
After creating the profile, put it into “complain mode,” where AppArmor doesn’t restrict the actions it can take but instead logs any restrictions that would otherwise occur:
创建配置文件后,将其置于“投诉模式”,其中AppArmor不会限制其可以执行的操作,而是记录否则会发生的所有限制:
sudo aa-complain /path/to/binary
须藤a-complain / path / to / binary
Use the program normally for a while. After using it normally in complain mode, run the following command to scan your system logs for errors and update the profile:
正常使用该程序一段时间。 在抱怨模式下正常使用它后,运行以下命令以扫描系统日志中是否有错误并更新配置文件:
sudo aa-logprof
须藤aa-logprof
使用强制模式锁定应用程序 (Using Enforce Mode to Lock Down the Application)
After you’re done fine-tuning your AppArmor profile, enable “enforce mode” to lock down the application:
对AppArmor配置文件进行微调后,启用“强制模式”以锁定应用程序:
sudo aa-enforce /path/to/binary
须藤aa强制/ path / to / binary
You may want to run the sudo aa-logprof command in the future to tweak your profile.
您将来可能希望运行sudo aa-logprof命令来调整您的配置文件。
AppArmor profiles are plain-text files, so you can open them in a text editor and tweak them by hand. However, the utilities above guide you through the process.
AppArmor配置文件是纯文本文件,因此您可以在文本编辑器中将其打开并手动进行调整。 但是,以上实用程序将指导您完成此过程。
翻译自: https://www.howtogeek.com/118328/how-to-create-apparmor-profiles-to-lock-down-programs-on-ubuntu/
apparmor
1708
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
