Security enhancing your Ubuntu LAMP with Apparmor

When you see the following message

Select E for enable.

You’ll see the following message

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the “Scan” button below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /usr/sbin/apache2

[(S)can system log for SubDomain events] / (F)inish

Select Finish and you’ll see the following message

Edit the newly created apparmor profile and add the following lines within ^DEFAULT_URI bracket

Set the newly created apache2 apparmor profile to complain mode then restart apache2

After running apache for a while, we can update the apparmor profile.

This is my apparmor apache file, it’s pretty basic since I don’t run any php scripts just static pages. I suspect that I would certainly have more to it if I did, but it works for me. I’m currently running Ubuntu Hardy Heron.

Continue reading