第26回　アクセスを制限する（AppArmor）

強制アクセス制御を操作する

Ubuntu Server 16.04 LTSには、AppArmorのツールやプロファイルがすべてインストールされているわけでありません。次のコマンドを実行して、これらをパッケージでインストールします。

$ sudo apt install apparmor-profiles apparmor-utils

1	$ sudo apt install apparmor-profiles apparmor-utils

/etc/apparmor.dディレクトリーの下にプロファイルが追加されたので、enforceやcomplainのモードに切り替えてみましょう。
まずは、aa-statusコマンドで、AppArmorの状態を確認します。

$ sudo aa-status
apparmor module is loaded.
53 profiles are loaded.
16 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/lxd/lxd-bridge-proxy
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/tcpdump
   lxc-container-default
   lxc-container-default-cgns
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
37 profiles are in complain mode.
   /usr/lib/chromium-browser/chromium-browser
   /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
   /usr/lib/chromium-browser/chromium-browser//lsb_release
   /usr/lib/chromium-browser/chromium-browser//xdgsettings
   /usr/lib/dovecot/anvil
   /usr/lib/dovecot/auth
   /usr/lib/dovecot/config
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dict
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/dovecot-lda
   /usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/lmtp
   /usr/lib/dovecot/log
   /usr/lib/dovecot/managesieve
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/lib/dovecot/ssl-params
   /usr/sbin/avahi-daemon
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/smbldap-useradd
   /usr/sbin/smbldap-useradd///etc/init.d/nscd
   /usr/{sbin/traceroute,bin/traceroute.db}
   /{usr/,}bin/ping
   klogd
   syslog-ng
   syslogd
1 processes have profiles defined.
1 processes are in enforce mode.
   /sbin/dhclient (1127)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

$ sudo aa-status

apparmor module is loaded.

53 profiles are loaded.

16 profiles are in enforce mode.

/sbin/dhclient

/usr/bin/lxc-start

/usr/lib/NetworkManager/nm-dhcp-client.action

/usr/lib/NetworkManager/nm-dhcp-helper

/usr/lib/chromium-browser/chromium-browser//browser_java

/usr/lib/chromium-browser/chromium-browser//browser_openjdk

/usr/lib/chromium-browser/chromium-browser//sanitized_helper

/usr/lib/connman/scripts/dhclient-script

/usr/lib/lxd/lxd-bridge-proxy

/usr/lib/snapd/snap-confine

/usr/lib/snapd/snap-confine//mount-namespace-capture-helper

/usr/sbin/tcpdump

lxc-container-default

lxc-container-default-cgns

lxc-container-default-with-mounting

lxc-container-default-with-nesting

37 profiles are in complain mode.

/usr/lib/chromium-browser/chromium-browser

/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox

/usr/lib/chromium-browser/chromium-browser//lsb_release

/usr/lib/chromium-browser/chromium-browser//xdgsettings

/usr/lib/dovecot/anvil

/usr/lib/dovecot/auth

/usr/lib/dovecot/config

/usr/lib/dovecot/deliver

/usr/lib/dovecot/dict

/usr/lib/dovecot/dovecot-auth

/usr/lib/dovecot/dovecot-lda

/usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail

/usr/lib/dovecot/imap

/usr/lib/dovecot/imap-login

/usr/lib/dovecot/lmtp

/usr/lib/dovecot/log

/usr/lib/dovecot/managesieve

/usr/lib/dovecot/managesieve-login

/usr/lib/dovecot/pop3

/usr/lib/dovecot/pop3-login

/usr/lib/dovecot/ssl-params

/usr/sbin/avahi-daemon

/usr/sbin/dnsmasq

/usr/sbin/dnsmasq//libvirt_leaseshelper

/usr/sbin/dovecot

/usr/sbin/identd

/usr/sbin/mdnsd

/usr/sbin/nmbd

/usr/sbin/nscd

/usr/sbin/smbd

/usr/sbin/smbldap-useradd

/usr/sbin/smbldap-useradd///etc/init.d/nscd

/usr/{sbin/traceroute,bin/traceroute.db}

/{usr/,}bin/ping

klogd

syslog-ng

syslogd

1 processes have profiles defined.

1 processes are in enforce mode.

/sbin/dhclient (1127)

0 processes are in complain mode.

0 processes are unconfined but have a profile defined.

ページ: 1 2 3 4 5 6

第26回 アクセスを制限する（AppArmor）

強制アクセス制御を操作する

第26回　アクセスを制限する（AppArmor）