Posted January 19Jan 19 You are reading Part 19 of the 57-part series: Harden and Secure Linux Servers. [Level 2]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.AppArmor (Ubuntu/Debian) and SELinux (CentOS/RHEL) are Mandatory Access Control (MAC) systems that enforce strict security policies on processes and services. Unlike traditional Linux permissions, these systems limit what processes can access, reducing the impact if an attacker compromises an application.By confining applications to a predefined set of actions and resources, AppArmor and SELinux prevent unauthorized access, privilege escalation, and file modifications.For AppArmor (Ubuntu/Debian)Check if AppArmor is enabled:sudo apparmor_status If it's not enabled, start the service:sudo systemctl enable --now apparmor List active AppArmor profiles:sudo aa-status Enforce AppArmor Profiles for Specific Services:AppArmor profiles are stored in /etc/apparmor.d/.To create a profile for Nginx:sudo nano /etc/apparmor.d/usr.sbin.nginx Define restricted access rules (example for Nginx):/usr/sbin/nginx { include <abstractions/base> /var/www/html/** r, /etc/nginx/nginx.conf r, /var/log/nginx/** rw, } Save and reload the profile:sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx For SELinux (CentOS/RHEL)Check SELinux status:sestatus If disabled, enable it:sudo setenforce 1 List current SELinux policies:sudo semanage boolean -l Apply SELinux Policies to Restrict Services:Example: Restrict access to a web directory for Apache (httpd)sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" Apply the policy:sudo restorecon -Rv /web Set SELinux to Enforcing Mode (Recommended for Security):sudo setenforce 1 Best Practices for AppArmor & SELinux Security✅ Use AppArmor for lightweight MAC on Ubuntu/Debian (easier to configure).✅ Use SELinux for fine-grained access control on CentOS/RHEL (stricter policies).✅ Regularly audit security logs (/var/log/audit/audit.log for SELinux).✅ Test policies before enforcing (setenforce 0 puts SELinux in permissive mode).✅ Use audit2allow to generate new SELinux policies for denied actions:sudo cat /var/log/audit/audit.log | audit2allow -M my_policy sudo semodule -i my_policy.pp By enforcing AppArmor or SELinux, you limit application access to system resources, reducing the risk of exploits, privilege escalation, and malware infections, making your Linux server significantly more secure.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.