OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	01/22/2024 08:17:32 AM	rwxr-xr-x
📁 abstractions	-	10/14/2020 08:20:58 AM	rwxr-xr-x
📁 cache	-	01/09/2023 09:00:04 PM	rwxr-xr-x
📁 disable	-	10/14/2020 08:17:34 AM	rwxr-xr-x
📁 force-complain	-	04/24/2018 02:47:41 PM	rwxr-xr-x
📁 local	-	11/11/2020 03:56:17 AM	rwxr-xr-x
📁 lxc	-	10/14/2020 08:21:52 AM	rwxr-xr-x
📄 lxc-containers	198 bytes	11/23/2018 04:49:34 AM	rw-r--r--
📄 sbin.dhclient	3.12 KB	03/26/2018 09:00:31 PM	rw-r--r--
📁 tunables	-	10/14/2020 08:20:58 AM	rwxr-xr-x
📄 usr.bin.lxc-start	125 bytes	11/23/2018 04:49:34 AM	rw-r--r--
📄 usr.bin.man	2.79 KB	04/07/2018 11:14:41 AM	rw-r--r--
📄 usr.lib.snapd.snap-confine.real	27.59 KB	02/18/2022 02:06:51 PM	rw-r--r--
📄 usr.sbin.mysqld	1.75 KB	10/23/2020 10:48:27 AM	rw-r--r--
📄 usr.sbin.rsyslogd	1.51 KB	04/24/2018 01:15:46 PM	rw-r--r--
📄 usr.sbin.tcpdump	1.32 KB	03/31/2018 08:13:20 PM	rw-r--r--

Editing: usr.sbin.tcpdump

# vim:syntax=apparmor
#include <tunables/global>

/usr/sbin/tcpdump {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

capability net_raw,
  capability setuid,
  capability setgid,
  capability dac_override,
  network raw,
  network packet,

# for -D
  @{PROC}/bus/usb/ r,
  @{PROC}/bus/usb/** r,

# for finding an interface
  @{PROC}/[0-9]*/net/dev r,
  /sys/bus/usb/devices/ r,
  /sys/class/net/ r,
  /sys/devices/**/net/* r,

# for -j
  capability net_admin,

# for tracing USB bus, which libpcap supports
  /dev/usbmon* r,
  /dev/bus/usb/ r,
  /dev/bus/usb/** r,

# for init_etherarray(), with -e
  /etc/ethers r,

# for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
  /dev/bus/usb/**/[0-9]* w,

# for -z
  /{usr/,}bin/gzip ixr,
  /{usr/,}bin/bzip2 ixr,

# for -F and -w
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  owner @{HOME}/ r,
  owner @{HOME}/** rw,

# for -r, -F and -w
  /**.[pP][cC][aA][pP] rw,

# for convenience with -r (ie, read pcap files from other sources)
  /var/log/snort/*log* r,

/usr/sbin/tcpdump mr,

# Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.tcpdump>
}