AppArmor funciona con perfiles para asegurar servicios espcificos.
* Es mas facil de aprender
* Viene por defecto en debian
apt install apparmor-utils apparmor-notify apparmor-easyprof
man apparmor.d
tree /etc/apparmor
ls /etc/apparmor.d/
aa-status
aa-genprof /tu/app
ls /sys/kernel/security/apparmor/
Para generar un perfil de alguna aplicacion ejecutamos:
cp /usr/bin/vim /usr/local/bin/kim
aa-genprof /usr/local/bin/kim
En otra sesion ejecutamos la aplicacion.
Luego en el aa-genprof le damos permisos a los directorios que deseemos. Al final guardamos y nos salimos.
Podemos ver los permisos con:
cat /etc/apparmor.d/usr.local.bin.kim
# Last Modified: Tue Nov 12 01:39:21 2019
#include
/usr/local/bin/kim {
#include
/home/ues/ r,
/lib/x86_64-linux-gnu/ld-*.so mr,
/usr/local/bin/kim mr,
owner /etc/* rw,
owner /etc/vim/vimrc r,
owner /root/* rw,
owner /usr/share/vim/** r,
}
Habilitamos la aplicacion kim en apparmor con complain para verificar su estado
aa-complain /usr/local/bin/kim
Habilitamos la aplicacion kim en apparmor con
aa-enforce /usr/local/bin/kim
Si queremos auditar las acciones con auditd
aa-audit /usr/local/bin/kim
Luego verificamos que podemos editar en esas carpetas pero no en otras.
kim /etc/hosts
kim /tmp/pp
aa-complain # Monitorea una aplicacion especifica.
aa-logprof # Para actualizar los perfiles de apparmor
aa-notify # notifica
sudo aa-status
sudo aa-status | grep -e "^[[:alnum:]]" -e ping
sudo aa-genprof /bin/ping-x
S
A
A
A
S
F
ping-x -c3 -4 127.0.0.1
sudo cat /etc/apparmor.d/bin.ping-x
ping-x -c3 -4 127.0.0.1
ping-x -c3 -6 ::1 #ping: socket: Permission denied
cat /etc/apparmor.d/usr.bin.test
#include
profile test /usr/lib/test/test_binary {
#include
# Main libraries and plugins
/usr/share/TEST/** r,
/usr/lib/TEST/** rm,
# Configuration files and logs
@{HOME}/.config/ r,
@{HOME}/.config/TEST/** rw,
}
Strings preceded by a @ symbol are variables defined by abstractions (/etc/apparmor.d/abstractions/), tunables (/etc/apparmor.d/tunables/) or by the profile itself. #include includes other profile-files directly. Paths followed by a set of characters are access permissions. Pattern matching is done using AppArmor's globbing syntax.
Most common use cases are covered by the following statements:
r — read: read data
w — write: create, delete, write to a file and extend it
m — memory map executable: memory map a file executable
x — execute: execute file; needs to be preceded by a qualifier
Remember that those permission do not allow binaries to exceed the permission dictated
====== Referencias ======
* https://www.howtogeek.com/118222/htg-explains-what-apparmor-is-and-how-it-secures-your-ubuntu-system/
* https://www.debian.org/doc/manuals/debian-handbook/sect.apparmor.ru.html
* https://wiki.debian.org/AppArmor/HowToUse
* http://wiki.apparmor.net/index.php/Profiles
* https://wiki.archlinux.org/index.php/AppArmor
* https://ubuntu.com/tutorials/beginning-apparmor-profile-development#1-overview