issuhub.com

Ubuntu Unleashed 2019 Edition: Covering 18.04, 18.10, 19.04

(singke) #1

can even use it to configure NAT routers. For more, see the man pages for
iptables and its IPv6 cousin, ip6tables.


nftables is a new firewalling tool that is gradually replacing iptables.
nftables is considered stable and suitable for production environments,
but it is not yet the default. If you want to start reading and consider switching
now instead of waiting for it to become the default, see the official
documentation at https://wiki.nftables.org/wiki-
nftables/index.php/Main_Page.


AppArmor


AppArmor is a mandatory access control (MAC) system. It is less
complicated than the better-known SELinux (https://selinuxproject.org/), a
MAC framework created by the U.S. National Security Agency (NSA).
AppArmor is designed to limit what specific programs can do by restricting
them to the use of predetermined resources—and only those resources. This is
done via profiles, which are loaded into the kernel at boot. It can be run in
complain mode, where information is logged about insecure practices but no
action is taken, or in enforce mode, where policies and limits are active.


This section provides a brief introduction to AppArmor. For a fuller
introduction, check the links listed in the “References” section at the end of
this chapter.


By default, AppArmor does little. You can install some extra profiles from the
Ubuntu repositories by installing the apparmor-profiles package.
These run in complain mode and log issues in /var/log/messages.


To unleash the power of AppArmor, you need to edit or create text files in
/etc /apparmor.d. A profile is named for the application it restricts,
including the full path to the application in the filesystem. For example, the
file sbin.rsyslogd, shown here, restricts the system logging daemon:


Click here to view code image


Last Modified: Sun Sep 25 08:58:35 2011


#include    <tunables/global>

#   Debugging   the syslogger   can be  difficult   if  it  can't   write   to  the

file#   that    the kernel  is  logging denials to. In  these   cases,  you can

do  the#    following:# watch   -n  1   'dmesg  |   tail    -5'

/usr/sbin/rsyslogd  {       #include    <abstractions/base>     #include

<abstractions/nameservice>

        capability  sys_tty_config,     capability  dac_override,       capability

dac_read_search,        capability  setuid,     capability  setgid,     capability
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.