Ubuntu AppArmor where sacred

AppArmor is a security framework/tool similar to SELinux, whose primary role is to control the various permissions of the application, such as read/write to a directory/file, open/read/write to the network port, and so on.

A reference to the Novell website:

AppArmor is designed to provide easy-to-use application security for both servers and workstations. Novell AppArmor is a access control system lets you specify per program which files the program may read, write, and Execute. AppArmor secures applications by enforcing good application behavior without relying on attack signatures, so it can Preve NT attacks even if they is exploiting previously unknown vulnerabilities

AppArmor Specifies the permissions for an application through a configuration file (that is, profile). In most cases, you can increase the security of your system by restricting some unnecessary permissions on your application, and I have a security problem when creating a private DNS service and AppArmor causing a custom MySQL log problem

AppArmor is the default choice for Ubuntu, but by default, the system comes with very few profile profiles installed, via command: sudo apt-get install apparmor-profiles, Additional Apparmor-profile files can be installed.

Under Ubuntu commands sudo apparmor_status can view the status of the current AppArmor.

To execute the sudo apt-get install apparmor-profiles command before the self-brought profile configuration:

$ sudo apparmor_statusapparmor module is Loaded.6 profiles was Loaded.6 profiles is in enforce mode. /sbin/dhclient/usr/lib/networkmanager/nm-dhcp-client.action/usr/lib/connman/scripts/dhclient-script/usr/sbin/ MYSQLD/USR/SBIN/NTPD/USR/SBIN/TCPDUMP0 profiles is in complain mode.4 processes has profiles Defined.4 processes a   Re in enforce mode. /sbin/dhclient (471)/sbin/dhclient (1088)/usr/sbin/mysqld (886)/usr/sbin/ntpd (4131) 0 processes is in complain m ode.0 processes is unconfined but has a profile defined.

After executing the sudo apt-get install apparmor-profiles command:

$ sudo  apparmor_statusapparmor module is loaded.42 profiles are  loaded.9 profiles are in enforce mode.   /sbin/dhclient    /usr/lib/networkmanager/nm-dhcp-client.action   /usr/lib/chromium-browser/ Chromium-browser//browser_java   /usr/lib/chromium-browser/chromium-browser//browser_openjdk    /usr/lib/chromium-browser/chromium-browser//sanitized_helper   /usr/lib/ connman/scripts/dhclient-script   /usr/sbin/mysqld   /usr/sbin/ntpd    /usr/sbin/tcpdump33 profiles are in complain mode.   /sbin/klogd    /sbin/syslog-ng   /sbin/syslogd   /usr/lib/chromium-browser/ chromium-browser   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox    /usr/lib/chromium-browser/chromium-browser//lsb_release   /usr/lib/chromium-browser/chromium-browser//xdgsettings    /usr/lib/dovecot/anvil   /usr/lib/dovecot/auth   /usr/lib/dovecot/ config   /usr/lib/dovecot/deliver   /usr/lib/dovecot/dict   /usr/ Lib/dovecot/dovecot-auth   /usr/lib/dovecot/dovecot-lda   /usr/lib/dovecot/imap    /usr/lib/dovecot/imap-login   /usr/lib/dovecot/lmtp   /usr/lib /dovecot/log   /usr/lib/dovecot/managesieve   /usr/lib/dovecot/managesieve-login    /usr/lib/dovecot/pop3   /usr/lib/dovecot/pop3-login   /usr/lib /dovecot/ssl-params   /usr/sbin/avahi-daemon   /usr/sbin/dnsmasq    /usr/sbin/dovecot   /usr/sbin/identd   /usr/sbin/mdnsd   / Usr/sbin/nmbd   /usr/sbin/nscd   /usr/sbin/smbd   /usr/{sbin/traceroute,bin/ traceroute.db}   /{usr/,}bin/ping4 processes have profiles defined.4  processes are in enforce mode.   /sbin/dhclient  (581)     /sbin/dhclient  (1115)    /usr/sbin/mysqld  (924)    /usr/sbin/ntpd   (3684) 0 processes are in complain mode.0 processes are  unconfined but have a profile defined.

You can see that some profile profiles are newly installed. AppArmor profile profiles are stored in the directory/ETC/APPARMOR.D, and the corresponding log files are recorded in/var/log/messages.

AppArmor uses the kernel standard security file system mechanism (/sys/kernel/security) to load and monitor profiles files. The profiles file currently loaded is recorded in the virtual file/sys/kernel/security/apparmor/profiles.

The commands for restarting Apparmor,apparmor start and stop operations are as follows:

Start:sudo/etc/init.d/apparmor start

Stop:sudo/etc/init.d/apparmor stop

Reload:sudo/etc/init.d/apparmor Reload

Show status:sudo/etc/init.d/apparmor Status

Original address: Ubuntu AppArmor where sacred
Tags: apparmor ubuntu mysql DNS

Smart recommendations

• In MySQL, a zero number equals any string
• VirtualBox + Ubuntu virtual Machine directory sharing
• ubuntu12.04 installation php5.4/php5.5
• Create a private DNS service
• Configure Web site SSL for HTTPS access under Ubuntu nginx

Ubuntu AppArmor where sacred