Apparmor avec systemd et grub

grandtoubab · Février 21, 2016, 10:11pm

Salut,
j’essai d’utiliser apparmor pour la securité en suivant le wiki

https://wiki.debian.org/AppArmor/HowToUse

Dès l’installation ça ne va pas:

update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults Job for apparmor.service failed. See 'systemctl status apparmor.service' and 'journalctl -xn' for details. invoke-rc.d: initscript apparmor, action "start" failed.

je vérifie le statut par rapport à systemd

[code]root@desktop:/etc/apt# systemctl status apparmor
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor)
Active: failed (Result: exit-code) since lun. 2016-01-04 16:35:10 CET; 57s ago

janv. 04 16:35:10 desktop apparmor[5831]: Starting AppArmor profiles:AppArmor not available…M…
janv. 04 16:35:10 desktop apparmor[5831]: failed!
janv. 04 16:35:10 desktop systemd[1]: apparmor.service: control process exited, code=exited…s=1
janv. 04 16:35:10 desktop systemd[1]: Failed to start LSB: AppArmor initialization.
janv. 04 16:35:10 desktop systemd[1]: Unit apparmor.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.[/code]

Un peu de recherche et je trouve cette commande

root@desktop:/etc/apt# systemctl enable apparmor Synchronizing state for apparmor.service with sysvinit using update-rc.d... Executing /usr/sbin/update-rc.d apparmor defaults Executing /usr/sbin/update-rc.d apparmor enable

Mais ça ne suffit pas

[code]root@desktop:/etc/apt# systemctl stop apparmor
root@desktop:/etc/apt# systemctl start apparmor
Job for apparmor.service failed. See ‘systemctl status apparmor.service’ and ‘journalctl -xn’ for details.
root@desktop:/etc/apt# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor)
Active: failed (Result: exit-code) since lun. 2016-01-04 16:42:35 CET; 26s ago
Process: 6205 ExecStart=/etc/init.d/apparmor start (code=exited, status=1/FAILURE)
root@desktop:/etc/apt# journalctl -xn
– Logs begin at lun. 2016-01-04 12:26:04 CET, end at lun. 2016-01-04 16:42:35 CET. –
janv. 04 16:35:10 desktop systemd[1]: Failed to start LSB: AppArmor initialization.
– Subject: L’unité (unit) apparmor.service a échoué
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– L’unité (unit) apparmor.service a échoué, avec le résultat failed.
janv. 04 16:35:10 desktop systemd[1]: Unit apparmor.service entered failed state.
janv. 04 16:35:15 desktop systemd-sysv-generator[6101]: Overwriting existing symlink /run/systemd
janv. 04 16:37:46 desktop systemd-sysv-generator[6161]: Overwriting existing symlink /run/systemd
janv. 04 16:37:46 desktop systemd-sysv-generator[6175]: Overwriting existing symlink /run/systemd
janv. 04 16:42:34 desktop apparmor[6205]: Starting AppArmor profiles:AppArmor not available as ke
janv. 04 16:42:34 desktop apparmor[6205]: failed!
janv. 04 16:42:35 desktop systemd[1]: apparmor.service: control process exited, code=exited statu
janv. 04 16:42:35 desktop systemd[1]: Failed to start LSB: AppArmor initialization.
– Subject: L’unité (unit) apparmor.service a échoué
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– L’unité (unit) apparmor.service a échoué, avec le résultat failed.
janv. 04 16:42:35 desktop systemd[1]: Unit apparmor.service entered failed state.[/code]

root@desktop:/etc/apt# cat /sys/module/apparmor/parameters/enabled N

Que faire?

grandtoubab · Février 21, 2016, 10:11pm

Je trouve ça
github.com/awailly/cis-ubuntu-ansible/issues/22

In Debian 8 Jessie :

vim /etc/default/grub GRUB_CMDLINE_LINUX=apparmor="1 security=apparmor"

Mais dans mon grub il y a déja ça

Et je ne sais déjà pas pourquoi j’ai ça??

Quelle est la syntaxe pour mettre les 2 options ensemble?

BelZeButh · Février 21, 2016, 10:11pm

Le message d’erreur est pourtant clair.

grandtoubab · Février 21, 2016, 10:11pm

[quote=“grandtoubab”]Je trouve ça
github.com/awailly/cis-ubuntu-ansible/issues/22

In Debian 8 Jessie :

vim /etc/default/grub GRUB_CMDLINE_LINUX=apparmor="1 security=apparmor"

Mais dans mon grub il y a déja ça

Et je ne sais déjà pas pourquoi j’ai ça??

Quelle est la syntaxe pour mettre les 2 options ensemble?[/quote]
Faut exécuter cette commande

Et ça devient ça
root@desktop:/etc/default# cat grub | grep CMDLINE

GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="initrd=/install/gtk/initrd.gz apparmor=1 security=apparmor"
on continue

[code]#update-grub

reboot[/code]

grandtoubab · Février 21, 2016, 10:11pm

Tout va bien

[code]root@desktop:/# systemctl status apparmor -l
● apparmor.service - LSB: AppArmor initialization
Loaded: loaded (/etc/init.d/apparmor)
Active: active (exited) since lun. 2016-01-04 17:23:25 CET; 1min 29s ago
Process: 412 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS)

janv. 04 17:23:13 desktop apparmor[412]: Starting AppArmor profiles:Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
janv. 04 17:23:25 desktop apparmor[412]: .
root@desktop:/# aa-status
apparmor module is loaded.
42 profiles are loaded.
7 profiles are in enforce mode.
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser//sanitized_helper
/usr/lib/cups/backend/cups-pdf
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
35 profiles are in complain mode.
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/lib/chromium-browser/chromium-browser
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
/usr/lib/chromium-browser/chromium-browser//lsb_release
/usr/lib/chromium-browser/chromium-browser//xdgsettings
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/sbin/smbldap-useradd
/usr/sbin/smbldap-useradd///etc/init.d/nscd
/usr/{sbin/traceroute,bin/traceroute.db}
/{usr/,}bin/ping
4 processes have profiles defined.
2 processes are in enforce mode.
/usr/sbin/cups-browsed (833)
/usr/sbin/cupsd (832)
2 processes are in complain mode.
/usr/sbin/avahi-daemon (753)
/usr/sbin/avahi-daemon (784)
0 processes are unconfined but have a profile defined.[/code]

grandtoubab · Février 21, 2016, 10:12pm

En fait je m’aperçois que mes 2 lignes dans grub sont inversées.
gnu.org/software/grub/manual … figuration
[i]‘GRUB_CMDLINE_LINUX’
Command-line arguments to add to menu entries for the Linux kernel.

‘GRUB_CMDLINE_LINUX_DEFAULT’
Unless ‘GRUB_DISABLE_RECOVERY’ is set to ‘true’, two menu entries will be generated for each Linux kernel: one default entry and one entry for recovery mode. This option lists command-line arguments to add only to the default menu entry, after those listed in ‘GRUB_CMDLINE_LINUX’.[/i]

Moi je veux démarrer Apparmor uniquement en mode normal (default) pas besoin en recovery.
Donc c’est mieux comme ça:
root@desktop:/etc/default# cat grub | grep CMD

GRUB_CMDLINE_LINUX_DEFAULT="quiet apparmor=1 security=apparmor" GRUB_CMDLINE_LINUX=""

toujours OK

root@desktop:/etc/default# aa-status apparmor module is loaded. 63 profiles are loaded. 28 profiles are in enforce mode. /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince-thumbnailer//sanitized_helper /usr/bin/evince//sanitized_helper /usr/bin/irssi /usr/bin/pidgin /usr/bin/pidgin//launchpad_integration /usr/bin/pidgin//sanitized_helper /usr/bin/totem /usr/bin/totem-audio-preview /usr/bin/totem-video-thumbnailer /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser//sanitized_helper /usr/lib/cups/backend/cups-pdf /usr/lib/firefox/firefox{,*[^s][^h]} /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper /usr/sbin/apt-cacher-ng /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ntpd /usr/sbin/tcpdump gst_plugin_scanner 35 profiles are in complain mode. /sbin/klogd /sbin/syslog-ng /sbin/syslogd /usr/lib/chromium-browser/chromium-browser /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox /usr/lib/chromium-browser/chromium-browser//lsb_release /usr/lib/chromium-browser/chromium-browser//xdgsettings /usr/lib/dovecot/anvil /usr/lib/dovecot/auth /usr/lib/dovecot/config /usr/lib/dovecot/deliver /usr/lib/dovecot/dict /usr/lib/dovecot/dovecot-auth /usr/lib/dovecot/dovecot-lda /usr/lib/dovecot/imap /usr/lib/dovecot/imap-login /usr/lib/dovecot/lmtp /usr/lib/dovecot/log /usr/lib/dovecot/managesieve /usr/lib/dovecot/managesieve-login /usr/lib/dovecot/pop3 /usr/lib/dovecot/pop3-login /usr/lib/dovecot/ssl-params /usr/sbin/avahi-daemon /usr/sbin/dnsmasq /usr/sbin/dovecot /usr/sbin/identd /usr/sbin/mdnsd /usr/sbin/nmbd /usr/sbin/nscd /usr/sbin/smbd /usr/sbin/smbldap-useradd /usr/sbin/smbldap-useradd///etc/init.d/nscd /usr/{sbin/traceroute,bin/traceroute.db} /{usr/,}bin/ping 5 processes have profiles defined. 3 processes are in enforce mode. /usr/sbin/cups-browsed (899) /usr/sbin/cupsd (897) /usr/sbin/ntpd (772) 2 processes are in complain mode. /usr/sbin/avahi-daemon (739) /usr/sbin/avahi-daemon (763) 0 processes are unconfined but have a profile defined. root@desktop:/etc/default#

grandtoubab · Mai 11, 2016, 2:15pm

Salut,
Toujours pareil sur Debian 9 Stretch.

Avec

GRUB_CMDLINE_LINUX_DEFAULT=“quiet apparmor=1 security=apparmor”

Apparmor démarre!

# aa-status
apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/cups-browsed (1394) 
   /usr/sbin/cupsd (1350) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Mais c’est toujours pas ça vu de systemd

# systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since mer. 2016-05-11 12:48:19 CEST; 51min
     Docs: man:systemd-sysv-generator(8)
  Process: 1158 ExecStart=/etc/init.d/apparmor start (code=exited, status=123)

mai 11 12:48:12 debian systemd[1]: Starting LSB: AppArmor initialization...
mai 11 12:48:14 debian apparmor[1158]: Starting AppArmor profiles:AppArmor parse
mai 11 12:48:18 debian apparmor[1158]: AppArmor parser error for /etc/apparmor.d
mai 11 12:48:19 debian apparmor[1158]:  failed!
mai 11 12:48:19 debian systemd[1]: apparmor.service: Control process exited, cod
mai 11 12:48:19 debian systemd[1]: Failed to start LSB: AppArmor initialization.
mai 11 12:48:19 debian systemd[1]: apparmor.service: Unit entered failed state.
mai 11 12:48:19 debian systemd[1]: apparmor.service: Failed with result 'exit-co

il y avait une erreur dans apparmor ntp