Rules Related To 'apparmor'

Component overview

Relevant packages:

Relevant groups:


No changes recorded.

Relevant rules:

Rule details

Enforce all AppArmor Profiles



AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command:

$ sudo aa-enforce /etc/apparmor.d/*
To list unconfined processes run the following command:
$ sudo aa-unconfined
Any unconfined processes may need to have a profile created or activated for them and then be restarted.


Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.

All AppArmor Profiles are in enforce or complain mode



AppArmor profiles define what resources applications are able to access. To set all profiles to either enforce or complain mode run the following command to set all profiles to enforce mode:

$ sudo aa-enforce /etc/apparmor.d/*
run the following command to set all profiles to complain mode:
$ sudo aa-complain /etc/apparmor.d/*
To list unconfined processes run the following command:
$ sudo aa-unconfined
Any unconfined processes may need to have a profile created or activated for them and then be restarted.


Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.

Ensure AppArmor is Active and Configured



Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.

The apparmor service can be enabled with the following command:

$ sudo systemctl enable apparmor.service


Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.

The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.

Verification of whitelisted software occurs prior to execution or at system startup.

Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.

Apparmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information.

Ensure AppArmor is enabled in the bootloader configuration



Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment, enact equivalent settings.


AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.

Ensure AppArmor is installed



AppArmor provide Mandatory Access Controls.


Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.

Ensure AppArmor Utils is installed



AppArmor provide Mandatory Access Controls.


Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.

Install the pam_apparmor Package



The pam_apparmor package can be installed with the following command:

$ sudo dnf install pam_apparmor


Protection of system integrity using AppArmor depends on this package being installed.