How to balance AppArmor and SELinux in mixed envs for integrity monitoring?

[Frank11]

I'm a junior sysadmin tasked with hardening our company's new fleet of Ubuntu web servers before they go into production. I've followed the basic CIS benchmarks for SSH configuration and firewall rules, but I'm looking for more nuanced server hardening practices. Specifically, I'm unsure about the best approach for mandatory access control like AppArmor versus SELinux in a mixed environment, and how to effectively implement and audit file integrity monitoring without creating excessive alert noise. What are some often-overlooked steps or tools you consider essential for a robust baseline?

[LaylaP]

Ubuntu's AppArmor is the pragmatic default for hardening. SELinux can be configured, but it's a bigger lift on Ubuntu and tends to work best when the distro ships with policy support. If you go SELinux, do a lab pilot first and expect more tuning. In production, start enforcing AppArmor on critical services and use aa-status to verify, aa-genprof for custom services, and aa-complain to gradually tighten policies.

[Brandon83]

Focus your hardening on service-specific profiles. Create and maintain profiles for nginx, PHP/Node runtimes, and your application; generate using aa-genprof and keep them in version control. Use aa-complain on the non-essential ones while you tune, then switch to aa-enforce once stable. Keep logs, and review denials weekly.

[Elizabeth2]

Set up AIDE with a strict baseline for /etc, /var/lib, and the application dirs. Run weekly or nightly checks and filter noise with directory whitelists and deny file changes to ephemeral paths. Combine with OSSEC/Wazuh for real-time alerting and correlation with login events, su attempts, and config drift. Ensure baseline is stored offline and in version control.

[RyanMW]

Enable auditd with focused rules: monitor key config files, service binaries, and critical system calls used by web servers. Route audit logs to a centralized log server; tune max_log_file and rate_limit. Use ausearch and aureport to produce digestible reports for auditors, not raw logs.

[JeffreyUG]

Drop capabilities for web processes (no setuid unless needed), enable 'fs.suid_dumpable=0', enable 'kernel.dmesg_restrict=1', ensure 'net.ipv4.tcp_syncookies=1', 'ipv6.disable=1' if unused; configure SSH with keys only, disable root login, disable password-based sudo; enable automatic security updates; keep a minimal installed-OS approach; use containers or sandboxing.

[Andrew10]

Integrate policy checks into CI/CD; run automated scans with OpenSCAP, Lynis; maintain a policy change log; test with a staging environment; implement 'gitops' style deployment of policies; add disasters restoration plan.

[Avery69]

Want a quick starter checklist or a 2-page plan tailored to your stack? Share distro version, app stack, and whether you plan to use AppArmor only or also SELinux, and I’ll tailor it.