Rules Related To 'apparmor'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Enforce all AppArmor Profiles

all_apparmor_profiles_enforced

Description

AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command:

$ sudo aa-enforce /etc/apparmor.d/*
To list unconfined processes run the following command:
$ sudo aa-unconfined
Any unconfined processes may need to have a profile created or activated for them and then be restarted.

Rationale

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.

All AppArmor Profiles are in enforce or complain mode

all_apparmor_profiles_in_enforce_complain_mode

Description

AppArmor profiles define what resources applications are able to access. To set all profiles to either enforce or complain mode run the following command to set all profiles to enforce mode:

$ sudo aa-enforce /etc/apparmor.d/*
run the following command to set all profiles to complain mode:
$ sudo aa-complain /etc/apparmor.d/*
To list unconfined processes run the following command:
$ sudo aa-unconfined
Any unconfined processes may need to have a profile created or activated for them and then be restarted.

Rationale

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.

Ensure AppArmor is Active and Configured

apparmor_configured

Description

Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.

The apparmor service can be enabled with the following command:

$ sudo systemctl enable apparmor.service

Rationale

Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.

The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.

Verification of whitelisted software occurs prior to execution or at system startup.

Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.

Apparmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information.

Ensure AppArmor is enabled in the bootloader configuration

grub2_enable_apparmor

Description

Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment, enact equivalent settings.

Rationale

AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.

Ensure AppArmor is installed

package_apparmor_installed

Description

AppArmor provide Mandatory Access Controls.

Rationale

Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.

Install the pam_apparmor Package

package_pam_apparmor_installed

Description

The pam_apparmor package can be installed with the following command:

$ sudo yum install pam_apparmor

Rationale

Protection of system integrity using AppArmor depends on this package being installed.