Le 17-10-2018, à 09:52:06 +0300, Reco a écrit :
> And, finally, /var/log/audit/audit.log if you have auditd installed
> (hint - install it if you don't).
grep apache /var/log/audit/audit.log
type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2"
name="/etc/gai.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:76): arch=c000003e syscall=2 success=no exit=-13
a0=7fe220cac22a a1=80000 a2=1b6 a3=80000 items=0 ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2"
exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null)
type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2"
name="/etc/apache2/apache2.conf" pid=17485 comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1539750555.347:77): arch=c000003e syscall=2 success=no exit=-13
a0=7fe2219b6f70 a1=80000 a2=1b6 a3=ffffffffffffff7f items=0 ppid=17482 pid=17485 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="apache2" exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce)
key=(null)
type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 ses=4294967295
subj==unconfined msg='unit=apache2 comm="systemd" exe="/lib/systemd/systemd"
hostname=? addr=? terminal=? res=failed'
Seems fine to me.
On the contrary. These show that apache2 binary was denied from reading
/etc/gai.conf *and* /etc/apache2/apache2.conf by some Mandatory Access
Control (audit record type AVC).
Since you're using Debian, I suspect AppArmor.
First things first, Apparmor (and any kind of MAC) is a good thing,
especially in your typical server environment. They'll suggest you to
disable it - don't. Lowering overall security of your OS is not worth
it.
Second, Debian does not provide apparmor profiles for apache. Whatever
profile is active in your installation is a result of local
misconfiguration.
Third, it's fixable. Install apparmor-utils.
Invoke 'aa-complain /usr/sbin/apache2'.
Start your apache2 service, stop it and start again.
Make some GET/PUT requests to it.
Invoke 'aa-logprof' and generate Apparmor profile that's uniquely suited
for your environment.
Here, I get
Reading log entries from /var/log/audit/audit.log.
Updating AppArmor profiles in /etc/apparmor.d.
Target profile exists: /etc/apparmor.d/usr.bin.nvidia-modprobe
Profile: libreoffice-soffice
Execute: /usr/bin/nvidia-modprobe
Severity: unknown
(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny /
Abo(r)t / (F)inish
What should I be expected to do?
Also, aa-status spits out
apparmor module is loaded.
63 profiles are loaded.
22 profiles are in enforce mode.
/usr/lib/cups/backend/cups-pdf
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/lib/telepathy/telepathy-*//pxgsettings
/usr/lib/telepathy/telepathy-*//sanitized_helper
/usr/lib/telepathy/telepathy-ofono
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/libvirtd
/usr/sbin/libvirtd//qemu_bridge_helper
/usr/sbin/mysqld-akonadi
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
thunderbird
thunderbird//browser_java
thunderbird//browser_openjdk
thunderbird//gpg
thunderbird//sanitized_helper
virt-aa-helper
41 profiles are in complain mode.
/usr/bin/nvidia-modprobe
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-auth
/usr/lib/dovecot/dovecot-lda
/usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail
/usr/lib/dovecot/imap
/usr/lib/dovecot/imap-login
/usr/lib/dovecot/lmtp
/usr/lib/dovecot/log
/usr/lib/dovecot/managesieve
/usr/lib/dovecot/managesieve-login
/usr/lib/dovecot/pop3
/usr/lib/dovecot/pop3-login
/usr/lib/dovecot/ssl-params
/usr/sbin/apache2
/usr/sbin/apache2//DEFAULT_URI
/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT
/usr/sbin/avahi-daemon
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
/usr/sbin/dovecot
/usr/sbin/identd
/usr/sbin/mdnsd
/usr/sbin/nmbd
/usr/sbin/nscd
/usr/sbin/smbd
/usr/sbin/smbldap-useradd
/usr/sbin/smbldap-useradd///etc/init.d/nscd
/usr/{sbin/traceroute,bin/traceroute.db}
klogd
libreoffice-oopslash
libreoffice-soffice
libreoffice-soffice//null-/usr/bin/nvidia-modprobe
libreoffice-soffice//null-/usr/bin/nvidia-modprobe//null-/bin/kmod
ping
syslog-ng
syslogd
15 processes have profiles defined.
3 processes are in enforce mode.
/usr/sbin/cups-browsed (25039)
/usr/sbin/cupsd (25038)
thunderbird (12250)
3 processes are in complain mode.
/usr/sbin/apache2 (11894)
/usr/sbin/apache2 (12019)
/usr/sbin/apache2 (12020)
9 processes are unconfined but have a profile defined.
/usr/sbin/avahi-daemon (1196)
/usr/sbin/avahi-daemon (1278)
/usr/sbin/dnsmasq (1444)
/usr/sbin/nmbd (2436)
/usr/sbin/smbd (2457)
/usr/sbin/smbd (2458)
/usr/sbin/smbd (2459)
/usr/sbin/smbd (2479)
/usr/sbin/smbd (32743)
This is rather confusing.
What should I do with this?
Invoke 'aa-enforce /usr/sbin/apache2', and you're set.
Profile for /usr/sbin/apache2 not found, skipping
I guess this is normal since I didn't finish the aa-logprof step.
Still reading on this new thing for me.
Thanks
Steve
