HOWTO : Security enhanced your Ubuntu 9.04 LAMP server with AppArmor

Step 1 :

Check if AppArmor is enabled or not. And make sure MySQL profile is enabled too.

sudo apparmor_status

Step 2 :

Create a profile of Apache2.

sudo aa-genprof apache2

sudo nano /etc/apparmor.d/usr.sbin.apache2

Add the following lines within ^DEFAULT_URI bracket.

/usr/sbin/suexec2 rix,
/usr/share/apache2/** r,
/var/log/apache2/** rwl,
/var/xoops/** r,
/var/www/xoops/** r,

Step 3 :

Put the profile in complain mode.

sudo aa-complain /etc/apparmor.d/usr.sbin.apache2
sudo /etc/init.d/apache2 restart

Step 4 :

After running the XOOPS for a while, we can update the profiles.

sudo aa-logprof

When the prompt ask for your selection, choose “A (Add)” to add a rule to the profiles. Save the file at the end of the process.

You can repeat this step when necessary.

Step 5 :

After running the XOOPS for a longer time and found no error, you can make the profile in enforce mode. Before doing so, make sure you have conducted the Step 4 once more.

sudo aa-enforce /etc/apparmor.d/usr.sbin.apache2
sudo /etc/init.d/apache2 restart

Step 6 (Optional) :

If you encounter any error, you can disable the profile.

sudo ln -s /etc/apparmor.d/usr.sbin.apache2 /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.apache2
sudo rm /etc/aparmor.d/disable/usr.sbin.apache2

Reference :
(1) Ubuntu Documentation (AppArmor)
(2) Introduction to AppArmor
(3) Share your profiles
(4) AppArmor support threads

Advertisements

3 Responses

  1. […] Security enhanced Ubuntu 9.04 LAMP server with AppArmor […]

  2. […] more here:  HOWTO : Security enhanced your Ubuntu 9.04 LAMP server with … Tags: enabled-too-, hernandez, hundred-paper, minor-usability, posted-on-june, security, […]

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: