=== AppArmor and its ussage ===
== Whats is AppArmor ==
[[File:Apparmor_logo.png|right|thumb|Logo]]
'''[https://wiki.ubuntu.com/AppArmor AppArmor]''' is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control(DAC) model by providing (mandatory access control) (MAC). It was included in the mainline Linux kernel since version 2.6.36 and its development has been supported by [https://www.canonical.com/ Canonical] since 2009.
It is available by default on Ubuntu and Suse distributions. AppArmor relies on paths instead of inodes, which are used by another similar security mechanism [https://en.wikipedia.org/wiki/Security-Enhanced_Linux SELinux].
Apparmor uses rules, which are combined into profiles for every process you want to restrict by it. These profiles can be run in "enforce" or "complain" modes. To generate profile you can run it with AppArmor in profile mode. While enforced profile will disallow any restricted activity, profile ran in complain mode will still allow program to do what was intended, but log this violation in logfile.

== AppArmor features ==

AppArmor can restrict following things

* file access (read, write, link, lock)
* library loading
* execution of applications
* coarse-grained network (protocol, type, domain)
* capabilities
* coarse owner checks (task must have the same euid/fsuid as the object being checked) starting with Ubuntu 9.10
* mount starting with Ubuntu 12.04 LTS
* unix(7) named sockets starting with Ubuntu 13.10
* DBus API (path, interface, method) starting with Ubuntu 13.10
* signal(7) starting with Ubuntu 14.04 LTS
* ptrace(2) starting with Ubuntu 14.04 LTS
* unix(7) abstract and anonymous sockets starting with Ubuntu 14.10

== AppArmor commands ==
=== Check status ===
apparmor_status
or
aa-status

=== Load profile ===
apparmor_parser -a /etc/apparmor.d/profile.name

=== Replace (reload) singe profile ===
apparmor_parser -r /etc/apparmor.d/profile.name

=== Reload all profiles ===
systemctl reload apparmor

=== Disable profile ===
ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/profile.name

=== Enabling disabled profile ===
rm /etc/apparmor.d/disable/profile.name
apparmor_parser -a /etc/apparmor.d/profile.name

=== Run profile in complain mode ===
aa-complain /path/to/program

=== Run profile in enforce mode ===
aa-enforce /path/to/program

=== Disabling AppArmor ===
Open <code>/etc/default/grub</code> file and change or add this line <code>GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"</code>.
Then run <code>update-grub2</code> and restart your PC.

== Permission flags ==

These are permission flags which are used in policy files. With them you can specify which things are allowed and which are denied.

* r - read
* w - write -- conflicts with append
* a - append -- conflicts with write
* ux - unconfined execute
* Ux - unconfined execute -- scrub the environment
* px - discrete profile execute
* Px - discrete profile execute -- scrub the environment
* cx - transition to subprofile on execute
* Cx - transition to subprofile on execute -- scrub the environment
* ix - inherit execute
* m - allow PROT_EXEC with mmap(2) calls
* l - link
* k - lock

== Creating new profiles ==
There are two ways of profiling. First one is called ''Stand-Alone profiling'' and second one is ''Systematic profiling''.
* Stand-alone is more fit if you want to create profile for one application, however setbacks are, that you need to keep running the profiling process whole time, while you are creating profile.
* Systematic profiling is meant for multiple processes, and you can restart server and programs while still profiling.

=== Stand-alone profiling ===
First you probably need to install additional package by running <code>apt install apparmor-utils</code>.

For example, lets try and profile Vsftpd. After installing it, this command needs to be run first <code>aa-genprof /usr/sbin/vsftpd</code>. It will stay in monitoring mode. Then in other terminal window restart or start Vsftpd daemon by running <code>systemctl restart vsftpd</code>. After that just proceed with casual tasks. Connect with local user to FTP, upload, download, create and delete files and directories. Also create file in /tmp. After doing this, switch to first terminal window and push '''S''' for ''(S)can system log for AppArmor events''. Aa-genprof will then asks a couple of questions about actions what vsftpd did and you can either approve or disable them, alone with some more options. For example this rule <code>/home/user1/* r</code>is very narrow and ftp will not work properly if your system have more than one user. First profile that was made for vsftpd looked like this
<pre> # Last Modified: Wed Apr 26 00:39:00 2017
#include <tunables/global>

/usr/sbin/vsftpd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/lxc/container-base>

/dev/urandom r,
/etc/fstab r,
/etc/ftpusers r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/mtab r,
/etc/shells r,
/etc/vsftpd.* r,
/etc/vsftpd/* r,
/home/*/ rw,
/usr/sbin/vsftpd mrix,
/var/log/vsftpd.log w,
}
</pre>

After you test it out, you will notice, that you can still access pretty much everything even when this profile does not specify it. It is because the line <code>#include <abstractions/lxc/container-base></code> gives wide access. So instead i changed permissions to be more narrow, and now profile looked like this. User will be able to write in his home directory and in /tmp. He will not see contents in /home.
<pre>
# Last Modified: Wed Apr 26 20:39:27 2017
#include <tunables/global>

/usr/sbin/vsftpd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>

capability audit_write,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,

/ r,
/dev/urandom r,
/etc/fstab r,
/etc/ftpusers r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/mtab r,
/etc/shells r,
/etc/vsftpd.* r,
/etc/vsftpd/* r,
/tmp/ r,
/tmp/* w,
/usr/sbin/vsftpd mrix,
/var/log/vsftpd.log w,
@{HOME}/ r,
@{HOME}/* w,
}
</pre>

=== Systematic profiling ===

Lets try and do systematic profiling on vsftpd and nginx. After installing them, this command needs to be run in order to create profile skeleton for both programms <code>aa-autodep vsftpd nginx</code>. After that run this command to puth both profiles in complain mode <code>aa-complain vsftpd nginx</code>.
Then restart both services <code>systemctl restart vsftpd ; systemctl restart nginx</code>
and do some basic tasks. Open html page in web browser, create and open some subdirectories. Upload and delete files with ftp client. After you think you have done everything you require from both services, run this command <code>aa-logprof</code> and approve rules. You may need to run it a few times untill you tweak rules just right. Below are the basic rules which allows ftp juser to upload files in his home directory and in /var/www/html/, and ngix to serve them properly over http.

<pre>
# Last Modified: Wed Apr 26 21:50:54 2017
#include <tunables/global>

/usr/sbin/vsftpd {
#include <abstractions/base>
#include <abstractions/postfix-common>

capability audit_write,
capability net_bind_service,
capability sys_admin,

network inet6 stream,
network netlink raw,

/ r,
/etc/ftpusers r,
/etc/group r,
/etc/login.defs r,
/etc/nsswitch.conf r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/securetty r,
/etc/shadow r,
/etc/shells r,
/etc/vsftpd.conf r,
@{HOME}/ r,
@{HOME}/** rw,
/usr/sbin/vsftpd mr,
/var/ r,
/var/log/vsftpd.log w,
/var/www/ rw,
/var/www/html/** rw,
}
</pre>

<pre>
# Last Modified: Wed Apr 26 21:46:31 2017
#include <tunables/global>

/usr/sbin/nginx {
#include <abstractions/base>

capability dac_override,

network inet stream,

/etc/group r,
/etc/nginx/conf.d/ r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/nginx/sites-enabled/ r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/ssl/openssl.cnf r,
/usr/sbin/nginx mr,
/var/log/nginx/error.log w,
/var/www/html/** r,
}
</pre>

== Practical example by hardening server ==

Lets assume that you want to set up Ubuntu LTS server and quickly harden it with AppArmor. The server will run Virtualmin as a server control panel.
First you install Virtualmin by running these commands. Saddly they do not provide checksumms.
<pre>wget http://software.virtualmin.com/gpl/scripts/install.sh
bash install.sh</pre>

Then install additional profiles
<pre>
apt install apparmor-profiles</pre>

By checking <code>aa-status</code> you can see that there are bunch of profiles already in enforce and complain mode.

== Getting additional rules ==
You can download precreated AppArmor rules for most popular services by installing additional package
<code>apt install apparmor-profiles</code>.
They are installed in same default directory /etc/apparmor.d as the rest of profiles.
[[File:Aa-status.png|right|thumb|Logo]]

== Additional resources ==
* [http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference More about various policy flags]
* [http://wiki.apparmor.net/index.php/Documentation General documentation]
* [https://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/data/bx5bmky.html Building Profiles from the Command Line]
* [https://help.ubuntu.com/community/AppArmor AppArmor Ubuntu wiki]

[[Category:Operatsioonisüsteemide administreerimine ja sidumine]]

File:Aa-status.png

2017-04-27T12:03:50Z

Mteivens:

Apparmor and its usage

=== AppArmor and its ussage ===
== Whats is AppArmor ==

'''[https://wiki.ubuntu.com/AppArmor AppArmor]''' is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the permission to read, write, or execute files on matching paths. AppArmor supplements the traditional Unix discretionary access control(DAC) model by providing (mandatory access control) (MAC). It was included in the mainline Linux kernel since version 2.6.36 and its development has been supported by [https://www.canonical.com/ Canonical] since 2009.
It is available by default on Ubuntu and Suse distributions. AppArmor relies on paths instead of inodes, which are used by another similar security mechanism [https://en.wikipedia.org/wiki/Security-Enhanced_Linux SELinux].
Apparmor uses rules, which are combined into profiles for every process you want to restrict by it. These profiles can be run in "enforce" or "complain" modes. To generate profile you can run it with AppArmor in profile mode. While enforced profile will disallow any restricted activity, profile ran in complain mode will still allow program to do what was intended, but log this violation in logfile.

== AppArmor features ==

AppArmor can restrict following things

* file access (read, write, link, lock)
* library loading
* execution of applications
* coarse-grained network (protocol, type, domain)
* capabilities
* coarse owner checks (task must have the same euid/fsuid as the object being checked) starting with Ubuntu 9.10
* mount starting with Ubuntu 12.04 LTS
* unix(7) named sockets starting with Ubuntu 13.10
* DBus API (path, interface, method) starting with Ubuntu 13.10
* signal(7) starting with Ubuntu 14.04 LTS
* ptrace(2) starting with Ubuntu 14.04 LTS
* unix(7) abstract and anonymous sockets starting with Ubuntu 14.10

== AppArmor commands ==
=== Check status ===
apparmor_status

=== Load profile ===
cat /etc/apparmor.d/profile.name | apparmor_parser -a

=== Reload singe profile ===
cat /etc/apparmor.d/profile.name | apparmor_parser -r

=== Reload all profiles ===
systemctl reload apparmor

=== Disable profile ===
ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/profile.name

=== Enabling disabled profile ===
rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | apparmor_parser -a

=== Run profile in comlpain mode ===
aa-enforce /path/to/program

=== Disabling AppArmor ===
Open <code>/etc/default/grub</code> file and change or add this line <code>GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0"</code>.
Then run <code>update-grub2</code> and restart your PC.

== Creating new profiles ==
First you probably need to install additional package by runing <code>apt install apparmor-utils</code>

File:Apparmor status.png

2017-04-25T16:18:08Z

Mteivens:

OSadmin wiki article

2017-04-25T15:52:39Z

Mteivens:

=Intro=
*Choose a topic from personal experience related with the subject or from topics found on the wiki page
*[[#Chosen_topics|Write the topic here]].
*Lecturer will confirm the topic
*Write your article in wiki environment
*Inform the [[Operating_systems#Lecturer|lecturer]] when the article is finished
*Receive feedback for corrections

=Requirements for the wiki article=
Author: name, group and date when the article is written

==Introduction ==
Covers points what will be discussed in the article, what are the requirements for the article reader; what are the operating system’s requirements.

==Contents==
All commands should be easily separable from the overall text.
Users should be able to copy the commands directly (additional info like prompt and user distinction symbols should be left out from the command description area)
The text should determine what user permissions are needed to perform these tasks.
The reader of your article is your fellow students, so try to avoid irrelevant information and stay on topic (don’t explain the meaning of IP address or how to install Ubuntu, when your topic is actually about htop)
All the content should be referenced.
Do not use slang and try to be grammatically correct. 

Bear in mind that this is an open environment, so everything you write in your wiki article, will be public. 

==Referencing==
Best practises of wiki referencing should be used.
Terms are but between square brackets to reference other articles in the system.
All drawing and images have to be referenced below the picture and in the text. (for example “System architecture can be viewed on image x, y and z.”)
Author’s own ideas have to be clearly presentable. Everything used from the sources have to be referenced.

==Fellow student review==
Please find a fellow student who will review your article and give a feedback on the discussion tab of the article using [http://enos.itcollege.ee/~edmund/materials/viki-artikkel/Assessment-model-for-the-wiki-article.html the following assessment model].

==Summary==
Besides a short overview, what was discussed in this article, it should also include the author's own opinion about the topic.

==Category==
Add the following category to the end of the article (last row): 
'''<nowiki>[[Category:Operatsioonisüsteemide administreerimine ja sidumine]]</nowiki>'''

=Chosen topics=
Please write here your topic and name, group:
* '''Fedora OS'''; Anamul Hoque Shihab; CSE-11
* '''Basic Automation with Python'''; Ardi Vaba; CSE-11
* '''SSH Encryption'''; Frank Korving; CSE-11
* '''Translation of OSadmin wiki help page to English [[https://wiki.itcollege.ee/index.php/Osadmin_spikker]]'''; Peep Kuulme; CSE-11
* [https://wiki.itcollege.ee/index.php/Cross-Site_Scripting_(XSS)_attacks '''Cross-Site Scripting''']; Masaki Ihara; CSE-11
*[https://wiki.itcollege.ee/index.php/Auditd '''Auditd - Linux system monitoring with audit daemon'''], Nika Ptskialadze, CSE-11
* '''GNU Privacy Guard (GnuPG)'''; Patricia Bruno Barbosa; CSE-11
* '''BackBox OS'''; Ats Tootsi; CSE-11
*[https://wiki.itcollege.ee/index.php/Apparmor_and_its_usage '''Apparmor and its usage'''], Mikus, CSE-11
*''''Arch Linux'''';Farhan Nayeem Islam;CSE-C11
* ''''VPN basics'''', Christian Cataldo, CSE-C11; [https://wiki.itcollege.ee/index.php/VPN_(English_version)]
* ''Translation of DDoS Wiki page[[https://wiki.itcollege.ee/index.php/DDoS_Eng]]'''; Andris Männik; CSE-11
*'''Translation of Ps Wiki page[[https://wiki.itcollege.ee/index.php/Ps]]'''''; Christopher Carr; CSE-11
*'''Translation of Bash_Shell wiki page[[https://wiki.itcollege.ee/index.php/BASH_shell]]'''; Steven Rugam; CSE-11
*'''Pass: The Standard Unix Password Manager'''; Oliver Rahula; CSE-11
==Ideas==
* UNIX CLI password manager https://www.passwordstore.org and its GUI http://qtpass.org/

=References=
* [https://wiki.itcollege.ee/index.php/Osadmin_referaadi_teemad counterpart article in Estonian]
* http://manpage.io
* https://linuxjourney.com/
* [https://linux.die.net/man/ Linux man-pages]
* [https://linux.die.net Linux docs]
* http://www.tecmint.com/60-commands-of-linux-a-guide-from-newbies-to-system-administrator/
* http://www.tecmint.com/useful-linux-commands-for-system-administrators/
* http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html
* http://www.thegeekstuff.com/2010/12/50-unix-linux-sysadmin-tutorials

[[Category:Operatsioonisüsteemide administreerimine ja sidumine]]

Creating malware lab

2017-04-25T15:51:59Z

Mteivens: Mteivens moved page Creating malware lab to Apparmor and its usage

#REDIRECT [[Apparmor and its usage]]

Apparmor and its usage

2017-04-25T15:51:59Z

Mteivens: Mteivens moved page Creating malware lab to Apparmor and its usage

batman beginz

Investigating nfc cards

2017-04-11T21:05:08Z

Mteivens:

==== Investigating Mifare NFC cards with PN532 module and C.H.I.P ====
In this brief document i will attempt to explain how to setup your chip and pn532 NFC reader to poke around with NFc cars.

=== Setup ===

After flashing[https://flash.getchip.com/] your chip, first thing yo need to do is install ''libnfc'' by running command
apt-get install libnfc-bin

And add your NFC device
mkdir -p /etc/nfc/devices.d/
echo -e "name = \"PN532 board via UART\" \nconnstring = pn532_uart:/dev/ttyS0" > /etc/nfc/devices.d/pn532_uart.conf</code>

Now you actually need to connect reader to chip. Check attached picture to see where to connect each pin.

[[File:Pn532_pinout.png|200px]]

If you did everything right, you should be able to detect the device by running
nfc-scan-device
[[File:Nfc-scan-device.png]]

=== Identifying cards ===
Using this command you can check if reader detects NFC card successfully
nfc-list

You can identify cards by returned ATQA/SENS_RES, SAK/SEL_RES and ATS[http://nfc-tools.org/index.php?title=ISO14443A] bytes manually by useing command
nfc-list
or you can use this utility[http://nfc-tools.org/index.php?title=Lsnfc] to make it easier. Below you can see responses from ISIC card (non bank issued one).

<gallery>
File:Lsnfc.png|lsnfc output
Nfc-list.png|nfc-list output
</gallery>

=== Basic working principles of Mifare Classic card ===
Both, ISIC and Estonian transportation cards are working on Mifare Classic chip. Bank cards use another chip which is able to emulate Mifare Classic. SEB uses Mifare Plus and Swedbank uses JCOP as far as i know.

Mifare classic`s memory is organized in 16 sectors of 4 blocks. One block contains 16 bytes.

[[File:Mifare_classic_memory_layout.png|200px]]

File:Mifare classic memory layout.png

2017-04-11T19:23:57Z

Mteivens:

Apparmor and its usage

2017-04-09T18:47:09Z

Mteivens: Created page with "batman beginz"

batman beginz

Claiming GitHub Student Developer Pack

2016-09-01T21:46:10Z

Mteivens: /* Claiming GitHub Student Developer Pack */

GitHub`s ''Student developer pack'' gives you free access or discounts to various services like GitHub, Digital ocean, Stripe, Namecheap, AWS, Microsoft Azure and others.

You can check full offer [https://education.github.com/pack here]

In order to claim this pack you have to add your ''itcollege.ee'' email to your profile. To do so you login into your profile, click on user picture in right upper corner and click ''Settings''. Add your ''itcollege.ee'' address in '''Email''' section.

[[File:Devpack_add_email.png|300px|border|Adding itcollege.ee email address]]

In a few seconds you should receive a verification email to your address. Open it and click on verification link provided in email.

[[File:Devpack_verify_email.png|300px|border|Verifying your email]]

Once you verified your address, [https://education.github.com/pack go here], and click ''Get your pack'', acknowledge that you are a student by clicking another button and fill out form afterwards.

[[File:Devpack_form.png|300px|thumb|left|Form]]

As far as i can tell they do not really care about your full name and/or your name at all, but who knows, maybe you trigger additional check if you put something propostrous for your name. After you finished and submitted this form, you get text saying that GitHub will contact you in a few weeks. Maybe its true for others but i got second email almost instantly, which confirmed that i now have access to Student Developer Pack.

Again, [https://education.github.com/pack go here], click ''Get your pack'' and voila, you have claimed teh Student Developer Pack.

Claiming GitHub Student Developer Pack

2016-09-01T21:44:57Z

Mteivens: Created page with "=Claiming GitHub Student Developer Pack= GitHub`s ''Student developer pack'' gives you free access or discounts to various services like GitHub, Digital ocean, Stripe, Namech..."

=Claiming GitHub Student Developer Pack=

GitHub`s ''Student developer pack'' gives you free access or discounts to various services like GitHub, Digital ocean, Stripe, Namecheap, AWS, Microsoft Azure and others.

You can check full offer [https://education.github.com/pack here]

In order to claim this pack you have to add your ''itcollege.ee'' email to your profile. To do so you login into your profile, click on user picture in right upper corner and click ''Settings''. Add your ''itcollege.ee'' address in '''Email''' section.

[[File:Devpack_add_email.png|300px|border|Adding itcollege.ee email address]]

In a few seconds you should receive a verification email to your address. Open it and click on verification link provided in email.

[[File:Devpack_verify_email.png|300px|border|Verifying your email]]

Once you verified your address, [https://education.github.com/pack go here], and click ''Get your pack'', acknowledge that you are a student by clicking another button and fill out form afterwards.

[[File:Devpack_form.png|300px|thumb|left|Form]]

As far as i can tell they do not really care about your full name and/or your name at all, but who knows, maybe you trigger additional check if you put something propostrous for your name. After you finished and submitted this form, you get text saying that GitHub will contact you in a few weeks. Maybe its true for others but i got second email almost instantly, which confirmed that i now have access to Student Developer Pack.

Again, [https://education.github.com/pack go here], click ''Get your pack'' and voila, you have claimed teh Student Developer Pack.

File:Devpack add email.png

2016-09-01T21:29:08Z

Mteivens: Mteivens uploaded a new version of File:Devpack add email.png

File:Devpack verify email.png

2016-09-01T21:12:59Z

Mteivens:

File:Devpack form.png

2016-09-01T21:12:41Z

Mteivens:

File:Devpack add email.png

2016-09-01T21:12:25Z

Mteivens: