AppArmor Profiles on an Anubiz Offshore VPS
AppArmor is Ubuntu's mandatory access control layer. It confines a process to a path/capability profile so even a compromised nginx cannot read /etc/shadow. The Anubiz Ubuntu 24.04 cloud image ships AppArmor enabled but with most profiles in complain mode. Flipping to enforce mode on services that ship a maintained profile (sshd, nginx, postfix, libvirtd) is low-effort hardening with high payoff.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Confirm AppArmor Is Running
aa-status shows loaded profiles. Default install: most in complain. apt install apparmor-utils for the helper tools.
Step 2: Enforce Profiles With Confidence
aa-enforce /etc/apparmor.d/usr.sbin.sshd, same for nginx, postfix, named, dovecot if present. Confirm with aa-status.
Step 3: Complain Mode for Testing
For a custom app, start with aa-complain which logs would-block events to journalctl. Run your app through normal use, gather denials, then refine the profile, then enforce.
Step 4: Custom Profile via aa-genprof
aa-genprof /usr/local/bin/myapp interactively generates a profile by tracing the app. Tedious but produces a tight profile.
Step 5: Updates
Profile updates ship with packages. apt upgrade may add new rules or replace yours - keep customizations in /etc/apparmor.d/local/.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.