aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Palimaka <kensington@gentoo.org>2012-07-11 05:30:34 +1000
committerMichael Palimaka <kensington@gentoo.org>2012-07-11 05:30:34 +1000
commit820f2d3638c8c67a6a9407174acf886ad13832ec (patch)
tree9cda0e4b975754d31e817e3f33d524ee6dd00ae3
parentUpdate previews (diff)
downloadhardened-docs-820f2d3638c8c67a6a9407174acf886ad13832ec.tar.gz
hardened-docs-820f2d3638c8c67a6a9407174acf886ad13832ec.tar.bz2
hardened-docs-820f2d3638c8c67a6a9407174acf886ad13832ec.zip
Add initial draft of AppArmor guide.
-rw-r--r--xml/apparmor.xml204
1 files changed, 204 insertions, 0 deletions
diff --git a/xml/apparmor.xml b/xml/apparmor.xml
new file mode 100644
index 0000000..032f1f3
--- /dev/null
+++ b/xml/apparmor.xml
@@ -0,0 +1,204 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header$ -->
+
+<guide disclaimer="draft" link="apparmor.xml" lang="en">
+<title>Gentoo AppArmor Guide</title>
+
+<author title="Author">
+ <mail link="kensington@gentoo.org">Michael Palimaka</mail>
+</author>
+
+<abstract>
+This guide provides a brief overview of AppArmor, and gives information
+on how to install and configure it on Gentoo.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
+<license version="3.0"/>
+
+<version>1</version>
+<date>2012-07-10</date>
+
+<chapter>
+<title>Introduction</title>
+
+<section>
+<body>
+<p>
+AppArmor is a Linux Security Module implementation, working around the concept of adding rules to file paths.
+</p>
+<p>
+For each file path you specify, AppArmor will permit it only the permissions you grant.
+</p>
+<pre caption="Sample profile">
+# ------------------------------------------------------------------
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2010 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+# ------------------------------------------------------------------
+
+#include &lt;tunables/global&gt;
+
+/sbin/klogd {
+ #include &lt;abstractions/base&gt;
+
+ capability sys_admin, # for backward compatibility with kernel &lt;= 2.6.37
+ capability syslog,
+
+ network inet stream,
+
+ /boot/System.map* r,
+ @{PROC}/kmsg r,
+ @{PROC}/kallsyms r,
+ /dev/tty rw,
+
+ /sbin/klogd rmix,
+ /var/log/boot.msg rwl,
+ /{,var/}run/klogd.pid krwl,
+ /{,var/}run/klogd/klogd.pid krwl,
+ /{,var/}run/klogd/kmsg r,
+}
+</pre>
+</body>
+</section>
+
+</chapter>
+
+<chapter>
+<title>Initial setup</title>
+
+<section>
+<title>Kernel patching</title>
+<body>
+<p>
+From Linux 3.4, improved AppArmor support has been merged into the kernel. For the best experience, however,
+it is recommended to patch your kernel with additional support. Without patching, it will only be possible to activate
+profiles - deactivation, listing, init script etc. will not work.
+</p>
+<p>
+The required patches are included in the AppArmor tarball. If you are using a grsec enabled kernel, such as <c>hardened-sources</c>,
+the patches will not cleanly apply. For convenience, a rebased version of the patches is
+<uri link="https://github.com/kensington/apparmor-grsec/tarball/master">available</uri>.
+</p>
+</body>
+</section>
+
+<section>
+<title>Install utilities</title>
+<body>
+<p>
+The AppArmor userspace utilities currently live in the
+<uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=summary">Hardened development overlay</uri>.
+You should install layman, and then add the <c>hardened-dev</c> overlay:
+
+<pre caption="Install userspace utilities">
+# <i>layman -a hardened-dev</i>
+# <i>emerge apparmor-utils</i>
+<comment>You will probably also wish to install some profiles to get started:</comment>
+# <i>emerge apparmor-profiles</i>
+</pre>
+
+</p>
+</body>
+</section>
+
+<section>
+<title>Further configuration</title>
+<body>
+<p>
+You may wish to edit the configuation files located in <c>/etc/apparmor</c>, however
+the default values will suit most users.
+</p>
+</body>
+</section>
+
+</chapter>
+
+<chapter>
+<title>Working with profiles</title>
+
+<section>
+<body>
+<p>
+Profiles are stored as simple text files in <c>/etc/apparmor.d</c>. They may take any name, and may be stored
+in subdirectories - you may organise them however it suits you.
+</p>
+
+<pre caption="Sample profile directory listing">
+/etc/apparmor.d $ <i>ls</i>
+abstractions program-chunks usr.lib.apache2.mpm-prefork.apache2 usr.lib.dovecot.managesieve-login usr.sbin.dovecot usr.sbin.nscd
+apache2.d sbin.klogd usr.lib.dovecot.deliver usr.lib.dovecot.pop3 usr.sbin.identd usr.sbin.ntpd
+bin.ping sbin.syslog-ng usr.lib.dovecot.dovecot-auth usr.lib.dovecot.pop3-login usr.sbin.lspci usr.sbin.smbd
+disable sbin.syslogd usr.lib.dovecot.imap usr.sbin.avahi-daemon usr.sbin.mdnsd usr.sbin.smbldap-useradd
+local tunables usr.lib.dovecot.imap-login usr.sbin.dnsmasq usr.sbin.nmbd usr.sbin.traceroute
+</pre>
+
+<p>
+Profiles are referred to by name, including any parent subdirectories if present.
+</p>
+</body>
+</section>
+
+<section>
+<title>Manual control</title>
+<body>
+
+<p>
+To activate a profile, simply set it to enforce mode.
+<pre caption="Manual profile activation">
+# <i>aa-enforce usr.sbin.dnsmasq</i>
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to enforce mode.
+</pre>
+</p>
+
+<p>
+Similarly, to deactive a profile, simply set it to complain mode.
+<pre caption="Manual profile deactivation">
+# <i>aa-complain usr.sbin.dnsmasq</i>
+Setting /etc/apparmor.d/usr.sbin.dnsmasq to complain mode.
+</pre>
+</p>
+
+<p>
+The current status of your profiles may be viewed using <c>aa-status</c>.
+<pre caption="Profile status listing">
+# <i>aa-status</i>
+apparmor module is loaded.
+6 profiles are loaded.
+5 profiles are in enforce mode.
+ /bin/ping
+ /sbin/klogd
+ /sbin/syslog-ng
+ /usr/sbin/dnsmasq
+ /usr/sbin/identd
+1 profiles are in complain mode.
+ /usr/sbin/lspci
+1 processes have profiles defined.
+1 processes are in enforce mode.
+ /usr/sbin/dnsmasq (12905)
+0 processes are in complain mode.
+0 processes are unconfined but have a profile defined.
+</pre>
+</p>
+
+</body>
+</section>
+
+<section>
+<title>Automatic control</title>
+<body>
+<p>
+The provided init script will automatically load all profiles located in your profile directory.
+Unless specifically specified otherwise, each profile will be loaded in enforce mode.
+</p>
+</body>
+</section>
+
+</chapter>
+
+</guide>