AppArmor快速入门

AppArmor是Linux内核的强制访问控制(MAC)一个实现方案,在Ubuntu等发行版上面默认开启。相比SELinux,AppArmor相对简单易用,更加适合日常使用。现在我们以node_exporter为例,介绍快速应用AppArmor的方法。

安装apparmor-utils

apt install -y apparmor-utils

执行aa-genprof

root@gw:~# aa-genprof /usr/bin/node_exporter
        not a dynamic executable
Writing updated profile for /usr/bin/node_exporter.
Setting /usr/bin/node_exporter to complain mode.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Profiling: /usr/bin/node_exporter

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in 
order to scan the system logs for AppArmor events. 

For each AppArmor event, you will be given the 
opportunity to choose whether the access should be 
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish

这里进入等待状态了。不要按任何键中断它。

新打开一个窗口,启动node_exporter(我这里是用systemd启动的):

systemctl start node_exporter

附服务文件**/lib/systemd/system/node_exporter.service**:

[Unit]
Description=node_exporter
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/bin/node_exporter --collector.systemd
Restart=on-failure
[Install]
WantedBy=multi-user.target

等待片刻,等待node_exporter被采集。

回到aa-genprof的窗口:

[(S)can system log for AppArmor events] / (F)inish

按S键扫描系统日志。出现以下内容:

Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile:    /usr/bin/node_exporter
Capability: net_admin
Severity:   8

 [1 - capability net_admin,]
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish

好像go语言写的程序都需要net_admin权限。这里按A允许即可。

又弹出一段信息:

Profile:  /usr/bin/node_exporter
Path:     /sys/kernel/mm/transparent_hugepage/hpage_pmd_size
New Mode: owner r
Severity: 4

 [1 - owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish

这里可以简单的按A允许,也可以按G改成通配;可以按多次G,效果如下:

Profile:  /usr/bin/node_exporter
Path:     /sys/kernel/mm/transparent_hugepage/hpage_pmd_size
New Mode: owner r
Severity: 4

  1 - owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 
  2 - owner /sys/kernel/mm/transparent_hugepage/* r, 
  3 - owner /sys/kernel/mm/** r, 
  4 - owner /sys/kernel/** r, 
 [5 - owner /sys/** r,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish

此时按A即允许读取/sys目录下的所有文件和目录。

重复上面的步骤,直到最后不再询问权限,而是出现:

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

 [1 - /usr/bin/node_exporter]
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t

按S保存配置文件。自动回到等待状态:

Writing updated profile for /usr/bin/node_exporter.

Profiling: /usr/bin/node_exporter

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in 
order to scan the system logs for AppArmor events. 

For each AppArmor event, you will be given the 
opportunity to choose whether the access should be 
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish

按F键退出。

执行aa-status查看apparmor的状态:

   ...
33 processes are in enforce mode.
   ...
   /usr/bin/node_exporter (191273) 
   ...

恭喜,此时node_exporter已经身披盔甲了!

你可能感兴趣的:(linux,服务器,运维,系统安全)