In 2nd edition, we enable AppArmor (not optional), since Debian buster (current stable) enables it by default.
Note
If you create and/or edit your AppArmor profiles, you should have at least 2GB /var/log, since it produces tons of audit logs.
Also, you should set maxsize logrotate setting.
Enabling AppArmor on read-only filesystem
We've done already. All we need is install AppArmor packages and enable it.
root# apt install apparmor{,-utils,-profiles,-profiles-extra}
root# mount -o remount,rw / # Don't forget.
root# mount -o remount,rw /boot # for update-grub, update-initramfs.
root# nano /etc/default/grub # add apparmor parameters
GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"
root# update-grub && reboot -n
Check AppArmor status
After login,
root# aa-enabled
YES (it works now.)
root# systemctl # does not shows any "fail"
root# journalctl # also confirm this.
date hostname apparmor[PID]: Starting AppArmor profiles:.
date hostname systemd[1]: Started AppArmor initialization.
Going further
AppArmor profiles are not so much provided. It's very difficult to create some universal profiles.
You should consider creating your own.
Read /etc/apparmor/logprof.conf first.
It tells you what kind of profiles SHOULD NOT BE PROVIDED.
Tip
If you create your own AppArmor profile, you'd better to do it one by one.
Also, consider executing logrotate -f YOURCONFIG before you create another profile.
tier1.jp will write about it in the future, but not in this guide.
ClamAV for scanning virus (optional)
root# apt install clamav
root# mount -o remount,rw / # DO NOT FORGET
root# dpkg-reconfigure clamav-freshclam # read and answer
root# mount -o remount,ro
Note
If you do not use clamd, answer "No" to "clamd be notified after update?"
This setting does not provide on-access-scan.
You have to do it manually.
To scan recursively and make it report only infected files,
user$ clamscan -i -r SOMEPATH
chkrootkit
chkrootkit might help, but it also have not so small number of false positives, and it depends on binutils, which could be abused.
In 2nd edition setting, tire1.jp does not recommend chkrootkit.
Firewall
Firewall is difficult. The basic is DROP all, explicitly ACCEPT what you need, using conntrack and hashlimit.
root# apt install iptables-persistent
Note
This package just provides persistent firewall setting scripts. You need to write rules.
Firewall varies and can be complicated.
We should discuss it in another article.
APT consistency
There are many other system consistency check software such as tripwire, debsums is an easy way.
First, you need to initialize.
root# apt install debsums
root# debsums_init # this does not require writable root "/"
And sometimes, run a system check command.
root# debsums -s
A milestone
You can stop using this guide on this stage.
- You now have a small secure read-only Debian GNU/Linux with AppArmor.
- If you are interested, keep going "Next".
Thank you for reading this. Have a nice day.