Linux is a significant part of modern network infrastructure that allows fine—grained control over system resources. One of the ways this control can be exercised is by restricting user permissions. By default, Linux systems are set up with a multi—user environment that allows multiple users to log in simultaneously and perform tasks on the system.
However, not all users require access to all system resources or have the same level of trustworthiness. To address these concerns, administrators can use various techniques to restrict user permissions so that each user has only the necessary level of access to perform their tasks. One of the software we consider in that instruction.
Restricting user rights involves configuring security parameters of different config files: users, groups of users or processes. This can be done using built—in system permission, user groups or tools like AppArmor. System permission gives access to specific information systems subjects.
Availabilities such as writing, reading and executing access to the object of the file system. AppArmor and other software can be security modules which provide security services via the MAC concept and confinement process subset of the system.
Install and exploit
Before using the main utility update and upgrade your system :
sudo apt update —y && sudo apt upgrade —y
Install the needed package for creating a profile and log file:
sudo apt install apparmor—utils apparmor
And check utilities for the packet:
The process will be structured as follows: we create a profile for users that start scanning their actions and movement, start needed for the user program, which impact with their process and therefore we can collect all log files and set permission on it. First, create a profile with the user which you need to restrict:
sudo aa—genprof —h
We can see a template of the program syntaxis and fill the gaps following that example:
sudo aa—genprof sudo
You can use any parameter on the screen below, but we use the default setting. Now, as you can see in the instruction, we have to create a new window in our remote program application:
Start all the programs, that you need to use and wait, now absolutely starting, requiring process writing in log journal:
Go to the previous window and stop the process with press the letter F on your keyboard:
Go to the log files and check Apparmor kernel process starts right:
sudo journalctl —k
After we make sure that all processes start correctly, we need to update the log file in Apparmour :
Start profile with enforce mode, which can turn up a system of MAC restrictions :
Restricting user permissions is an essential aspect of managing Linux systems. It allows administrators to ensure that users only have access to the necessary resources and reduces the risk of security breaches. AppArmor is a powerful tool that can help administrators restrict user permissions by defining specific profiles for users and their associated processes.
By following the steps outlined in this article, administrators can create AppArmor profiles and log files, analyze them, and enforce restrictions on user permissions. Ultimately, implementing these techniques will lead to a more secure and efficient Linux system. In the next episode, we consider a more deepest and most flexible configuration, don't tune the channel!