4.5 Activate AppArmor - GRUB_CMDLINE_LINUX - 0 profiles are in complain mode

Information

AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure.

Solution

Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package)- # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub- GRUB_CMDLINE_LINUX='apparmor=1 security=apparmor' Update grub configuration (reboot will be required to apply changes)- # update-grub Set all profiles to enforce mode- # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted.

See Also

https://workbench.cisecurity.org/files/85

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(3)

Plugin: Unix

Control ID: ae53c595033da9e8caf685af037e7426f36c484fd5b2e6b070113d127be34716