AppArmor 是一款與SeLinux類似的安全框架/工具,其主要作用是控制應用程序的各種權限,例如對某個目錄/文件的讀/寫,對網絡端口的打開/讀/寫等等。
來之Novell網站的引用:
AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is an access control system that lets you specify per program which files the program may read, write, and execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can prevent attacks even if they are exploiting previously unknown vulnerabilities
AppArmor通過一個配置文件(即profile)來指定一個應用程序的相關權限。在大多數情況下,可以通過限制應用程序的某些不必要的權限來提升系統安全性,本人在 打造私有的DNS 服務 和 apparmor 引起自定義mysql 日志問題 就遇到了安全問題
AppArmor是 Ubuntu 的默認選擇,但在默認情況下,系統自帶安裝的profile配置文件很少,通過命令:sudo apt-get install apparmor-profiles,可以安裝額外的AppArmor-profile文件。
在Ubuntu下通過命令sudo apparmor_status可以查看當前AppArmor的狀態。
執行sudo apt-get install apparmor-profiles命令之前的自帶profile配置:
$ sudo apparmor_status apparmor module is loaded. 6 profiles are loaded. 6 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script /usr/sbin/mysqld /usr/sbin/ntpd /usr/sbin/tcpdump 0 profiles are in complain mode. 4 processes have profiles defined. 4 processes are in enforce mode. /sbin/dhclient (471) /sbin/dhclient (1088) /usr/sbin/mysqld (886) /usr/sbin/ntpd (4131) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
執行sudo apt-get install apparmor-profiles命令之后的情況:
$ sudo apparmor_status
apparmor module is loaded.
42 profiles are loaded.
9 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser//sanitized_helper
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/mysqld
/usr/sbin/ntpd
/usr/sbin/tcpdump
33 profiles are in complain mode.
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/lib/chromium-browser/chromium-browser
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
/usr/lib/chromium-browser/chromium-browser//lsb_release
/usr/lib/chromium-browser/chromium-browser//xdgsettings
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/{sbin/traceroute,bin/traceroute.db}
/{usr/,}bin/ping
4 processes have profiles defined.
4 processes are in enforce mode.
/sbin/dhclient (581)
/sbin/dhclient (1115)
/usr/sbin/mysqld (924)
/usr/sbin/ntpd (3684)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
可以看到新安裝了一些profile配置文件。Apparmor的profile配置文件均保存在目錄/etc/apparmor.d,對應的日志文件記錄在/var/log/messages。
Apparmor使用內核標准安全文件系統機制(/sys/kernel/security)來加載和監控profiles文件。而虛擬文件/sys/kernel/security/apparmor/profiles里記錄了當前加載的profiles文件。
重啟apparmor,Apparmor的啟動、停止等操作的相關命令如下:
Start : sudo /etc/init.d/apparmor start
Stop : sudo /etc/init.d/apparmor stop
reload: sudo /etc/init.d/apparmor reload
Show status: sudo /etc/init.d/apparmor status
原文地址: Ubuntu apparmor何方神聖
標簽: apparmor ubuntu mysql dns