Debian 12 bookworm
Sponsored Link

AppArmor : Create Profiles : aa-autodep2023/07/13

 
Create a profile for a program with [aa-autodep] command.
The different point from [aa-genprof] is that [aa-autodep] creates an empty profile and finish at once, and then target program is entered in [complain] mode control.
[1] For example, create a profile for Samba with [aa-autodep] command.
# create a profile for Samba

root@dlp:~#
aa-autodep /usr/sbin/smbd

Writing updated profile for /usr/sbin/smbd.
# it is entered in [complain] mode

root@dlp:~#
aa-status

apparmor module is loaded.
14 profiles are loaded.
13 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
1 profiles are in complain mode.
   /usr/sbin/smbd
.....
.....

# after this, it needs to learn required operations in [complain] mode
# for large scale application like Samba, it needs to learn many required operations
# in logs for a long time, maybe in a few months

# set policy for each unauthorized action in logs step by step

root@dlp:~#
aa-logprof

Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/syslog.
Complain-mode changes:

Profile:  /usr/sbin/smbd
Path:     /var/log/samba/log.smbd
New Mode: owner w
Severity: 8

 [1 - include <abstractions/samba>]
  2 - owner /var/log/samba/log.smbd w,
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
Adding include <abstractions/samba> to profile.

Profile:        /usr/sbin/smbd
Network Family: netlink
Socket Type:    raw

 [1 - include <abstractions/nameservice>]
  2 - network netlink raw,
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
Adding include <abstractions/nameservice> to profile.
Enforce-mode changes:

Profile:  /usr/bin/node
Path:     /dev/ttyS0
New Mode: owner rw
Severity: 9

 [1 - owner /dev/ttyS0 rw,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
Adding owner /dev/ttyS0 rw, to profile.

.....
.....

# if profile is completed finally, move to [enforce] mode to protect target app

root@dlp:~#
aa-enforce /usr/sbin/smbd

[2] By the way, it uses Samba as an example to create a profile with [aa-autodep] on here, though, however some profiles are provided as a package for well known and often used applications like Samba.
root@dlp:~#
apt -y install apparmor-profiles
root@dlp:~#
dpkg -L apparmor-profiles

/.
/etc
/etc/apparmor.d
/etc/apparmor.d/apache2.d
/etc/apparmor.d/apache2.d/phpsysinfo
/etc/apparmor.d/bin.ping
/etc/apparmor.d/local
/etc/apparmor.d/php-fpm
/etc/apparmor.d/samba-bgqd
/etc/apparmor.d/samba-dcerpcd
/etc/apparmor.d/samba-rpcd
/etc/apparmor.d/samba-rpcd-classic
/etc/apparmor.d/samba-rpcd-spoolss
/etc/apparmor.d/sbin.klogd
/etc/apparmor.d/sbin.syslog-ng
/etc/apparmor.d/sbin.syslogd
.....
.....

root@dlp:~#
aa-status

apparmor module is loaded.
32 profiles are loaded.
11 profiles are in enforce mode.
   /usr/bin/man
   /usr/bin/node
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /{,usr/}sbin/dhclient
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
21 profiles are in complain mode.
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   identd
   klogd
   mdnsd
   nmbd
   nscd
   php-fpm
   ping
   samba-bgqd
   samba-dcerpcd
   samba-rpcd
   samba-rpcd-classic
   samba-rpcd-spoolss
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
Matched Content