diff options
author | Michael Palimaka <kensington@gentoo.org> | 2012-07-11 05:30:34 +1000 |
---|---|---|
committer | Michael Palimaka <kensington@gentoo.org> | 2012-07-11 05:30:34 +1000 |
commit | 820f2d3638c8c67a6a9407174acf886ad13832ec (patch) | |
tree | 9cda0e4b975754d31e817e3f33d524ee6dd00ae3 | |
parent | Update previews (diff) | |
download | hardened-docs-820f2d3638c8c67a6a9407174acf886ad13832ec.tar.gz hardened-docs-820f2d3638c8c67a6a9407174acf886ad13832ec.tar.bz2 hardened-docs-820f2d3638c8c67a6a9407174acf886ad13832ec.zip |
Add initial draft of AppArmor guide.
-rw-r--r-- | xml/apparmor.xml | 204 |
1 files changed, 204 insertions, 0 deletions
diff --git a/xml/apparmor.xml b/xml/apparmor.xml new file mode 100644 index 0000000..032f1f3 --- /dev/null +++ b/xml/apparmor.xml @@ -0,0 +1,204 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> +<!-- $Header$ --> + +<guide disclaimer="draft" link="apparmor.xml" lang="en"> +<title>Gentoo AppArmor Guide</title> + +<author title="Author"> + <mail link="kensington@gentoo.org">Michael Palimaka</mail> +</author> + +<abstract> +This guide provides a brief overview of AppArmor, and gives information +on how to install and configure it on Gentoo. +</abstract> + +<!-- The content of this document is licensed under the CC-BY-SA license --> +<!-- See http://creativecommons.org/licenses/by-sa/3.0 --> +<license version="3.0"/> + +<version>1</version> +<date>2012-07-10</date> + +<chapter> +<title>Introduction</title> + +<section> +<body> +<p> +AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths. +</p> +<p> +For each file path you specify, AppArmor will permit it only the permissions you grant. +</p> +<pre caption="Sample profile"> +# ------------------------------------------------------------------ +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# ------------------------------------------------------------------ + +#include <tunables/global> + +/sbin/klogd { + #include <abstractions/base> + + capability sys_admin, # for backward compatibility with kernel <= 2.6.37 + capability syslog, + + network inet stream, + + /boot/System.map* r, + @{PROC}/kmsg r, + @{PROC}/kallsyms r, + /dev/tty rw, + + /sbin/klogd rmix, + /var/log/boot.msg rwl, + /{,var/}run/klogd.pid krwl, + /{,var/}run/klogd/klogd.pid krwl, + /{,var/}run/klogd/kmsg r, +} +</pre> +</body> +</section> + +</chapter> + +<chapter> +<title>Initial setup</title> + +<section> +<title>Kernel patching</title> +<body> +<p> +From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however, +it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate +profiles - deactivation, listing, init script etc. will not work. +</p> +<p> +The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <c>hardened-sources</c>, +the patches will not cleanly apply. For convenience, a rebased version of the patches is +<uri link="https://github.com/kensington/apparmor-grsec/tarball/master">available</uri>. +</p> +</body> +</section> + +<section> +<title>Install utilities</title> +<body> +<p> +The AppArmor userspace utilities currently live in the +<uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</uri>. +You should install layman, and then add the <c>hardened-dev</c> overlay: + +<pre caption="Install userspace utilities"> +# <i>layman -a hardened-dev</i> +# <i>emerge apparmor-utils</i> +<comment>You will probably also wish to install some profiles to get started:</comment> +# <i>emerge apparmor-profiles</i> +</pre> + +</p> +</body> +</section> + +<section> +<title>Further configuration</title> +<body> +<p> +You may wish to edit the configuation files located in <c>/etc/apparmor</c>, however +the default values will suit most users. +</p> +</body> +</section> + +</chapter> + +<chapter> +<title>Working with profiles</title> + +<section> +<body> +<p> +Profiles are stored as simple text files in <c>/etc/apparmor.d</c>. They may take any name, and may be stored +in subdirectories - you may organise them however it suits you. +</p> + +<pre caption="Sample profile directory listing"> +/etc/apparmor.d $ <i>ls</i> +abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd +apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd +bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd +disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd +local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute +</pre> + +<p> +Profiles are referred to by name, including any parent subdirectories if present. +</p> +</body> +</section> + +<section> +<title>Manual control</title> +<body> + +<p> +To activate a profile, simply set it to enforce mode. +<pre caption="Manual profile activation"> +# <i>aa-enforce usr.sbin.dnsmasq</i> +Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode. +</pre> +</p> + +<p> +Similarly, to deactive a profile, simply set it to complain mode. +<pre caption="Manual profile deactivation"> +# <i>aa-complain usr.sbin.dnsmasq</i> +Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode. +</pre> +</p> + +<p> +The current status of your profiles may be viewed using <c>aa-status</c>. +<pre caption="Profile status listing"> +# <i>aa-status</i> +apparmor module is loaded. +6 profiles are loaded. +5 profiles are in enforce mode. + /bin/ping + /sbin/klogd + /sbin/syslog-ng + /usr/sbin/dnsmasq + /usr/sbin/identd +1 profiles are in complain mode. + /usr/sbin/lspci +1 processes have profiles defined. +1 processes are in enforce mode. + /usr/sbin/dnsmasq (12905) +0 processes are in complain mode. +0 processes are unconfined but have a profile defined. +</pre> +</p> + +</body> +</section> + +<section> +<title>Automatic control</title> +<body> +<p> +The provided init script will automatically load all profiles located in your profile directory. +Unless specifically specified otherwise, each profile will be loaded in enforce mode. +</p> +</body> +</section> + +</chapter> + +</guide> |