systemadmin.es > Seguridad > apparmor: Pasar a complain mode

apparmor: Pasar a complain mode

Al igual que SELinux, AppArmor puede ser una fuente de problemas especialmente al migrar configuraciones, vamos a ver como cambiar de enforce a complain mode.

Para poder ver el estado de apparmor deberemos instalar el paquete apparmor-utils:

apt-get install apparmor-utils

Mediante apparmor_status podemos ver los perfiles cargados:

# apparmor_status
apparmor module is loaded.
4 profiles are loaded.
4 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/tcpdump
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Mediante aa-complain indicando todos los perfiles encontrados en /etc/apparmor.d/ podemos pasarlos a compain mode (los ficheros que no sean perfiles simplemente se ignorarán:

# aa-complain /etc/apparmor.d/*
Profile for /etc/apparmor.d/abstractions not found, skipping
Profile for /etc/apparmor.d/cache not found, skipping
Profile for /etc/apparmor.d/disable not found, skipping
Profile for /etc/apparmor.d/force-complain not found, skipping
Profile for /etc/apparmor.d/local not found, skipping
Setting /etc/apparmor.d/sbin.dhclient to complain mode.
Profile for /etc/apparmor.d/tunables not found, skipping
Setting /etc/apparmor.d/usr.sbin.rsyslogd to complain mode.
Setting /etc/apparmor.d/usr.sbin.tcpdump to complain mode.

Si repetimos el apparmor_status podemos ver que ya no quedan perfiles en enforce:

# apparmor_status
apparmor module is loaded.
4 profiles are loaded.
0 profiles are in enforce mode.
4 profiles are in complain mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/tcpdump
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Deja un comentario:

XHTML - Tags permitidos:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>