AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command:
$ sudo aa-enforce /etc/apparmor.d/*To list unconfined processes run the following command:
$ sudo aa-unconfinedAny unconfined processes may need to have a profile created or activated for them and then be restarted.
Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.
AppArmor profiles define what resources applications are able to access. To set all profiles to either enforce or complain mode run the following command to set all profiles to enforce mode:
$ sudo aa-enforce /etc/apparmor.d/*run the following command to set all profiles to complain mode:
$ sudo aa-complain /etc/apparmor.d/*To list unconfined processes run the following command:
$ sudo aa-unconfinedAny unconfined processes may need to have a profile created or activated for them and then be restarted.
Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.
Verify that the Apparmor tool is configured to
control whitelisted applications and user home directory access
control.
The apparmor service can be enabled with the following command:
$ sudo systemctl enable apparmor.service
Using a whitelist provides a configuration management method for allowing
the execution of only authorized software. Using only authorized software
decreases risk by limiting the number of potential vulnerabilities.
The organization must identify authorized software programs and permit
execution of authorized software by adding each authorized program to the
"pam_apparmor" exception policy. The process used to identify software
programs that are authorized to execute on organizational information
systems is commonly referred to as whitelisting.
Verification of whitelisted software occurs prior to execution or at system
startup.
Users' home directories/folders may contain information of a sensitive
nature. Nonprivileged users should coordinate any sharing of information
with a System Administrator (SA) through shared resources.
Apparmor can confine users to their home directory, not allowing them to
make any changes outside of their own home directories. Confining users to
their home directory will minimize the risk of sharing information.
Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment, enact equivalent settings.
AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.
AppArmor provide Mandatory Access Controls.
Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available.
The pam_apparmor package can be installed with the following command:
$ sudo yum install pam_apparmor
Protection of system integrity using AppArmor depends on this package being installed.