Sunday, January 18, 2009

How to create Apparmor configuration file for Apache

If you need to hardened apache service with apparmor. Here is the step by step how to create apparmor configuration file for apache.

First, activate profile generation. Skip for repository section, just answer later (L):
sudo genprof -d /var/log/syslog /usr/sbin/apache2

Setting /usr/sbin/apache2 to complain mode.

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" button below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /usr/sbin/apache2

[(S)can system log for SubDomain events] / (F)inish

Keep this open, don't press (S) or (F) yet because we still have some task to be done.
Second, open new console and try to restart apache service.
sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
Try to access or test your web application, this will help apparmor to cache all permission for your web access directories and files. After you finish with web application testing go back to console which still running genprof command then Press (S). Genprof will prompt some question, and you may choose whether you want to allow or deny the permission.

Once you finish with genprof, you will found this file /etc/apparmor.d/usr.sbin.apache2
Restart your apparmor then restart your apache daemon.

If some of your web application isn't accessible, see apparmor log to check is there any file permission has been blocked.
Jan 19 16:51:47 appserv02 kernel: [264251.884604] audit(1232355107.629:28228): type=1503 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/var/www/html/MyApps/index.php" pid=19234 profile="/usr/sbin/apache2" namespace="default"
This error log means you need to give read permission to this file "/var/www/html/MyApps/index.php". Edit and Add this below rules to your /etc/apparmor.d/usr.sbin.apache2
/var/www/html/MyApps/index.php r,
Try to restrat apparmor and apache server one more time. If you found more blocked permission from audit log, you may repeat above steps.
Posted by Last King of Kho's Kingdom at 10:43 PM

1 comments:

Anonymous said...

фотогалереи малолеток http://free-3x.com/ скачать насулуют малолетку free-3x.com/ скачать порно девочек школьниц [url=http://free-3x.com/]free-3x.com[/url]

November 6, 2009 11:04 PM

Post a Comment

Subscribe to: Post Comments (Atom)