Security enhancing your Ubuntu LAMP with Apparmor

Posted on July 9, 2010 by billy
sudo aa-genprof apache2

When you see the following message

Would you like to enable access to the
profile repository?
(E)nable Repository / (D)isable Repository / Ask Me (L)ater

Select E for enable.

You’ll see the following message

Writing updated profile for /usr/sbin/apache2.
Setting /usr/sbin/apache2 to complain mode.

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the “Scan” button below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /usr/sbin/apache2

[(S)can system log for SubDomain events] / (F)inish

Select Finish and you’ll see the following message

Setting /usr/sbin/apache2 to enforce mode.
Reloaded SubDomain profiles in enforce mode.
Finished generating profile for /usr/sbin/apache2.

Edit the newly created apparmor profile and add the following lines within ^DEFAULT_URI bracket

/usr/sbin/suexec2 rix,
/usr/share/apache2/** r,
/var/log/apache2/** rwl,
/var/www/** r,

Set the newly created apache2 apparmor profile to complain mode then restart apache2

sudo aa-complain /etc/apparmor.d/usr.sbin.apache2
sudo /etc/init.d/apache2 restart

After running apache for a while, we can update the apparmor profile.

sudo aa-logprof

This is my apparmor apache file, it’s pretty basic since I don’t run any php scripts just static pages. I suspect that I would certainly have more to it if I did, but it works for me. I’m currently running Ubuntu Hardy Heron.

# Last Modified: Sat Jun 12 13:46:42 2010
#include <tunables/global>
/usr/sbin/apache2 {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/nis>

capability kill,
capability net_bind_service,
capability setgid,
capability setuid,

/etc/apache2/*/ r,
/etc/apache2/apache2.conf r,
/etc/apache2/conf.d/charset r,
/etc/apache2/httpd.conf r,
/etc/apache2/mods-available/** r,
/etc/apache2/mods-enabled/** r,
/etc/apache2/ports.conf r,
/etc/apache2/sites-available/** r,
/etc/apache2/sites-enabled/** r,
/etc/mime.types r,
/etc/php5/apache2/php.ini r,
/etc/php5/conf.d/ r,
/etc/php5/conf.d/mysql.ini r,
/etc/php5/conf.d/mysqli.ini r,
/etc/php5/conf.d/pdo.ini r,
/etc/php5/conf.d/pdo_mysql.ini r,
/usr/lib/** mr,
/usr/sbin/apache2 mr,
/usr/share/apache2/** r,
/usr/share/file/* r,
/var/*/ r,
/var/log/apache2/access.log w,
/var/log/apache2/error.log w,
/var/run/apache2.pid rw,
/var/www/** r,
}

/usr/sbin/apache2//DEFAULT_URI {
/usr/sbin/suexec2 rix,
/usr/share/apache2/** r,
/var/log/apache2/** rwl,
/var/www/** r,
}

/usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT {
}

References:

About billy

Senior IT Technician working in Edinburgh, Scotland.
This entry was posted in Computing Tips, Linux, Personal and tagged , , . Bookmark the permalink.

One Response to Security enhancing your Ubuntu LAMP with Apparmor

  1. Pingback: Using DVWA to Test Hardening Apache Techniques « Incident Response howto

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>