2. Debian Handbook
3. 14_security

Once the “dynamic” elements have been saved, the next step is to store a complete image of the hard-disk. Making such an image is impossible if the filesystem is still evolving, which is why it must be remounted read-only. The simplest solution is often to halt the server brutally (after running <command>sync</command>) and reboot it on a rescue CD. Each partition should be copied with a tool such as <command>dd</command>; these images can be sent to another server (possibly with the very convenient <command>nc</command> tool). Another possibility may be even simpler: just get the disk out of the machine and replace it with a new one that can be reformatted and reinstalled. Most server providers offer a so-called rescue-console that essentially provides the same functionality as a rescue CD.

Setelah elemen "dinamis" sudah diselamatk-elemen “dinamis” disimpan, langkah berikutnya adalah untuk menyimpan imagecitra lengkap dari hard disk. Membuat imagecitra seperti itu mustahil jika sistem berkas masih terus berubah, itulah sebabnya itua harus dikaitpasang ulang dalam mode hanya-baca. Solusi yang paling sederhana adalah sering dengansering kali adalah menghentikan server secara brutalpaksa (setelah menjalankan <command>sync</command>) dan me-reboot memakai-nya menggunakan CD rescue. Masing-masingpenyelamatan. Setiap partisi akanharus disalin dengan alat seperti <command>dd</command>; imagecitra-citra ini dapat dikirim ke server lain (mungkin dengan alat <command>nc</command> yang sangat nyamanpraktis). Kemungkinan lain mungkinbisa bahkan lebih sederhana: hanya mendapatcukup keluarkan disk dari mesin dan menggantinya dengan yang baru yang dapat diformat dan diinstal ulangulang dan dipasang ulang. Sebagian besar penyedia server menawarkan yang disebut rescue-console yang pada dasarnya menyediakan fungsionalitas yang sama seperti CD penyelamatan.

This may only be possible if the server is physically accessible. When the server is hosted in a hosting provider's data center halfway across the country, or if the server is not accessible for any other reason, it is usually a good idea to start by gathering some important information (see <xref linkend="sect.keeping-everything-that-could-be-used-as-evidence" />, <xref linkend="sect.forensic-analysis" /> and <xref linkend="sect.reconstituting-the-attack-scenario" />), then isolating that server as much as possible by shutting down as many services as possible (usually, everything but <command>sshd</command>). This case is still awkward, since one can't rule out the possibility of the attacker having SSH access like the administrator has; this makes it harder to “clean” the machines. If possible, and if the provider supports it, the server can be put offline and accessed through the providers KVM/IPMI interface or their rescue console. If the affected machine is a virtual machine, a snapshot should be taken immediately to secure evidence.

Ini hanya dapat dilakukamungkin hanya mungkin jika server fisik dapat diakses secara fisik. Ketika server diwadahihosting di pusat data penyedia hosting setengah jalan menyeberangyang berjarak setengah negaraeri, atau jika server tidak dapat diakses karena alasan lain, biasanya merupakan ide yang baik untuk memulai dengan mengumpulkan beberapa informasi penting (lihat <xref linkend="sect.keeping-everything-that-could-be-used-as-evidence" />, <xref linkend="sect.forensic-analysis" />, dan <xref linkend="sect.reconstituting-the-attack-scenario" />), kemudianlalu mengisolasi server sebanyaktersebut semaksimal mungkin dengan menutupmatikan sebanyak mungkin layanan (biasanya, semua selainkecuali <command>sshd</command>). Kasus ini masihtetap canggung, karena kita tidak mengesampingseseorang tidak dapat menyingkirkan kemungkinan bahwa penyerang memiliki akses SSH seperti halnya administrator miliki; hal; ini membuat mesin lebih sulit untuk "membersihkan" mesin“dibersihkan”. Jika memungkinkan, dan jika penyedia mendukungnya, server dapat dibuat offline dan diakses melalui antarmuka KVM/IPMI penyedia atau konsol penyelamatan mereka. Jika mesin yang terdampak adalah mesin virtual, sebuah snapshot harus segera diambil untuk mengamankan bukti.

The consequences of an intrusion will have various levels of obviousness depending on the motivations of the attacker. “Script-kiddies“ only apply recipes they find on web sites; most often, they deface a web page or delete data. In more subtle cases, they add invisible contents to web pages so as to improve referrals to their own sites in search engines. In others, they simply install crypto-miners and use the compromised system to fill their crypto wallets.

Konsekuensi dari sebuah intrusi akan memiliki berbagai tingkat kejelasan tterlihatan yang jelas, bergantung pada motivasi dari penyerang. "“Script -kiddies"” hanya menerapkan resep yang mereka temukan padadi situs web; paling sering, mereka merusak tampilan sebuah halaman web atau menghapus data. Dalam kasus yang lebih halus, mereka menambah isikan konten tak terlihat padake halaman web sehingga dapatuntuk meningkatkan arahrujukan ke situs mereka sendiri di mesin pencari. Dalam kasus lainnya, mereka sekadar memasang crypto-miner dan menggunakan sistem yang dikompromikan untuk mengisi dompet kripto mereka.

<command>aa-genprof</command> detected that this permission was also granted by multiple “abstractions” and offers them as alternative choices. An abstraction provides a reusable set of access rules grouping together multiple resources that are commonly used together. In this specific case, we opted for selection “2” to first select the “#include &lt;abstractions/ubuntu-browsers.d/plugins-common&gt;” choice and then “A” to allow it.

Di sini program berusaha membaca izin <filename>/etc/ssl/openssl.conf</filename>. <command>aa-genprof</command> mendeteksi bahwa izin ini juga diberikan oleh beberapa "“abstraksi"ction” dan menawarkan mereknya sebagai pilihan alternatif. AbstraksiSebuah abstraction menyediakan seperangkatkumpulan aturan akses yang dapat dipakai lagi,gunakan kembali, yang mengelompokkan beberapaanyak sumber daya yang seringumum digunakan bersama-sama. Dalam kasus khusus ini, berkas umumnya diakses melalui fungsi terkait nameservice dari pustaka C dan kita ketik "2"spesifik ini, kami memilih opsi “2” untuk pertama memilih "#include &lt;abstractions/openssl&gt;" dan kemudian "A"terlebih dahulu memilih pilihan “#include &lt;abstractions/ubuntu-browsers.d/plugins-common&gt;” lalu “A” untuk mengizinkannya.

<computeroutput># </computeroutput><userinput>aa-genprof dhclient
</userinput><computeroutput>Updating AppArmor profiles in /etc/apparmor.d.
Writing updated profile for /usr/sbin/dhclient.
Setting /usr/sbin/dhclient to complain mode.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Profiling: /usr/sbin/dhclient

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish
<userinput>S</userinput>
Reading log entries from /var/log/syslog.

Profile: /usr/sbin/dhclient <co id="aa-genprof-execute"></co>
Execute: /usr/sbin/dhclient-script
Severity: unknown

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
<userinput>P</userinput>

Should AppArmor sanitise the environment when
switching profiles?

Sanitising environment is more secure,
but some applications depend on the presence
of LD_PRELOAD or LD_LIBRARY_PATH.

[(Y)es] / (N)o
<userinput>Y</userinput>
Writing updated profile for /usr/sbin/dhclient-script.

WARNING: Ignoring exec event in /usr/sbin/dhclient//null-/usr/sbin/dhclient-script//null-/usr/bin/systemctl, nested profiles are not supported yet.
Complain-mode changes:

Profile: /usr/sbin/dhclient <co id="aa-genprof-capability"></co>
Capability: net_raw
Severity: 8

[1 - capability net_raw,]
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding capability net_raw, to profile.

Profile: /usr/sbin/dhclient
Capability: net_bind_service
Severity: 8

[1 - include &lt;abstractions/nis&gt;]
2 - capability net_bind_service,
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding include &lt;abstractions/nis&gt; to profile.

Profile: /usr/sbin/dhclient <co id="aa-genprof-read"></co>
Path: /etc/dhcp/dhclient.conf
New Mode: owner r
Severity: unknown

[1 - owner /etc/dhcp/dhclient.conf r,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding owner /etc/dhcp/dhclient.conf r, to profile.

Profile: /usr/sbin/dhclient <co id="aa-genprof-write"></co>
Path: /var/lib/dhcp/dhclient.leases
New Mode: owner rw
Severity: unknown

[1 - owner /var/lib/dhcp/dhclient.leases rw,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding owner /var/lib/dhcp/dhclient.leases rw, to profile.

[..]

Profile: /usr/sbin/dhclient-script <co id="aa-genprof-other-profile"></co>
Path: /usr/bin/dash
New Mode: owner r
Severity: unknown

[1 - include &lt;abstractions/gvfs-open&gt;]
2 - include &lt;abstractions/ubuntu-browsers.d/plugins-common&gt;
3 - include &lt;abstractions/xdg-open&gt;
4 - owner /usr/bin/dash r,
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
<userinput>2</userinput>

Profile: /usr/sbin/dhclient-script
Path: /usr/bin/dash
New Mode: owner r
Severity: unknown

1 - include &lt;abstractions/gvfs-open&gt;
[2 - include &lt;abstractions/ubuntu-browsers.d/plugins-common&gt;]
3 - include &lt;abstractions/xdg-open&gt;
4 - owner /usr/bin/dash r,
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding include &lt;abstractions/ubuntu-browsers.d/plugins-common&gt; to profile.
[..]

Enforce-mode changes:

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

[1 - /usr/sbin/dhclient]
2 - /usr/sbin/dhclient-script
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<userinput>S</userinput>
Writing updated profile for /usr/sbin/dhclient.
Writing updated profile for /usr/sbin/dhclient-script.

Profiling: /usr/sbin/dhclient

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish
<userinput>F</userinput>
Setting /usr/sbin/dhclient to enforce mode.
Setting /usr/sbin/dhclient-script to enforce mode.

Reloaded AppArmor profiles in enforce mode.

Please consider contributing your new profile!
See the following wiki page for more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Finished generating profile for /usr/sbin/dhclient.</computeroutput>

<computeroutput># </computeroutput><userinput>aa-genprof dhclient
</userinput><computeroutput>Updating AppArmor profiles in /etc/apparmor.d.
Writing updated profile for /usr/sbin/dhclient.
Setting /usr/sbin/dhclient to complain mode.

Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Profiling: /usr/sbin/dhclient

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish
<userinput>S</userinput>
Reading log entries from /var/log/syslog.

Profile: /usr/sbin/dhclient <co id="aa-genprof-execute"></co>
Execute: /usr/sbin/dhclient-script
Severity: unknown

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
<userinput>P</userinput>

Should AppArmor sanitise the environment when
switching profiles?

Sanitising environment is more secure,
but some applications depend on the presence
of LD_PRELOAD or LD_LIBRARY_PATH.

[(Y)es] / (N)o
<userinput>Y</userinput>
Writing updated profile for /usr/sbin/dhclient-script.
WARNING: Ignoring exec event in /usr/sbin/dhclient//null-/usr/sbin/dhclient-script//null-/usr/bin/systemctl, nested profiles are not supported yet.
Complain-mode changes:

Profile: /usr/sbin/dhclient <co id="aa-genprof-capability"></co>
Capability: net_raw
Severity: 8

[1 - capability net_raw,]
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding capability net_raw, to profile.

Profile: /usr/sbin/dhclient
Capability: net_bind_service
Severity: 8

[1 - #include &lt;abstractions/nis&gt;]
2 - capability net_bind_service,
(A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding #include &lt;abstractions/nis&gt; to profile.

Profile: /usr/sbin/dhclient <co id="aa-genprof-read"></co>
Path: /etc/ssl/openssldhcp/dhclient.conf
New Mode: owner r
Severity: 2unknown

[1 - #include &lt;abstractions/lightdm&gt;]
2 - #include &lt;abstractions/openssl&gt;
3 - #include &lt;abstractions/ssl_keys&gt;
4 - owner /etc/ssl/openssl.cnf r,owner /etc/dhcp/dhclient.conf r,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding owner /etc/dhcp/dhclient.conf r, to profile.

Profile: /usr/sbin/dhclient <co id="aa-genprof-write"></co>
Path: /var/lib/dhcp/dhclient.leases
New Mode: owner rw
Severity: unknown

[1 - owner /var/lib/dhcp/dhclient.leases rw,]
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
<userinput>2A</userinput>

Profile: /usr/sbin/dhclient
Path: /etc/ssl/openssl.cnfAdding owner /var/lib/dhcp/dhclient.leases rw, to profile.

[..]

Profile: /usr/sbin/dhclient-script <co id="aa-genprof-other-profile"></co>
Path: /usr/bin/dash
New Mode: owner r
Severity: 2

unknown

[1 - #include &lt;abstractions/lightdmgvfs-open&gt;
[]
2 - #include &lt;abstractions/opensslubuntu-browsers.d/plugins-common&gt;]
3 - #include &lt;abstractions/ssl_keysxdg-open&gt;
4 - owner /etc/ssl/openssl.cnf r,
[usr/bin/dash r,
(A)llow] / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish / (M)ore
<userinput>A2</userinput>
[...]
Profile: /usr/sbin/dhclient-script <co id="aa-genprof-other-profile"></co>
Path: /usr/bin/dash
New Mode: owner r
Severity: unknown

1 - #include &lt;abstractions/gvfs-open&gt;
[2 - #include &lt;abstractions/lightdm&gt;]
3 - #include &lt;abstractions/ubuntu-browsers.d/plugins-common&gt;]
43 - #include &lt;abstractions/xdg-open&gt;
54 - owner /usr/bin/dash r,
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
<userinput>A</userinput>
Adding #include &lt;abstractions/lightdm&gt; to profile.
Deleted 2 previous matchiubuntu-browsers.d/plugins-common&gt; to profile.
[..]

Enforce-mode chang profile entries.:

= Changed Local Profiles =

The following local profiles were changed. Would you like to save them?

[1 - /usr/sbin/dhclient]
2 - /usr/sbin/dhclient-script
(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
<userinput>S</userinput>
Writing updated profile for /usr/sbin/dhclient.
Writing updated profile for /usr/sbin/dhclient-script.

Profiling: /usr/sbin/dhclient

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" option below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

[(S)can system log for AppArmor events] / (F)inish
<userinput>F</userinput>
Setting /usr/sbin/dhclient to enforce mode.
Setting /usr/sbin/dhclient-script to enforce mode.

Reloaded AppArmor profiles in enforce mode.

Please consider contributing your new profile!
See the following wiki page for more information:
https://gitlab.com/apparmor/apparmor/wikis/Profiles

Finished generating profile for /usr/sbin/dhclient.</computeroutput>

<computeroutput># </computeroutput><userinput>aa-unconfined
</userinput><computeroutput>473 /usr/sbin/dhclient confined by '/{,usr/}sbin/dhclient (enforce)'
521 /usr/sbin/sshd (sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups) not confined
1206 /usr/sbin/squid not confined
9931 /usr/bin/containerd not confined
11171 /usr/sbin/exim4 not confined
</computeroutput>

<computeroutput># </computeroutput><userinput>aa-unconfined
</userinput><computeroutput>45173 /usr/sbin/containerd not confined
467dhclient confined by '/{,usr/}sbin/dhclient (enforce)'
521 /usr/sbin/sshd (sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups) not confined
8921206 /usr/sbin/squid not confined
9931 /usr/bin/containerd not confined
11171 /usr/sbin/exim4 not confined
</computeroutput>

<computeroutput># </computeroutput><userinput>aa-status
</userinput><computeroutput>apparmor module is loaded.
40 profiles are loaded.
18 profiles are in enforce mode.
/usr/bin/man
[..]
22 profiles are in complain mode.
[..]
dnsmasq
[..]
0 profiles are in kill mode.
0 profiles are in unconfined mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/dhclient (473) /{,usr/}sbin/dhclient
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.</computeroutput>

<computeroutput># </computeroutput><userinput>aa-status
</userinput><computeroutput>apparmor module is loaded.
3240 profiles are loaded.
158 profiles are in enforce mode.
/usr/bin/man
[...]
1722 profiles are in complain mode.
/usr/sbin/dnsmasq
[...][..]
dnsmasq
[..]
0 profiles are in kill mode.
0 profiles are in unconfined mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/libvirtd (468) libvirtddhclient (473) /{,usr/}sbin/dhclient
0 processes are in complain mode.
0 processes are unconfined but have a profile defined. 0 processes are in mixed mode.
0 processes are in kill mode.</computeroutput>

AppArmor support is built into the standard kernels provided by Debian. Enabling AppArmor is thus just a matter of installing some packages by executing <command>apt install apparmor apparmor-profiles apparmor-profiles-extra apparmor-utils</command> with root privileges.

Dukungan AppArmor diterbangun kedi dalam kernel standar yang disediakan oleh Debian. MemfungsiKarena itu, mengaktifkan AppArmor adhanyalah hanya sekadar menginstalsoal memasang beberapa paket dengan mengeksekusi <command>apt install apparmor apparmor-profiles apparmor-profiles-extra apparmor-utils</command> dengan hak akses root.