1.6.2.2 Ensure all AppArmor Profiles are enforcing - 0 processes are unconfined

Information

AppArmor profiles define what resources applications are able to access.

Rationale:

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.

Solution

Run the following command to set all profiles to enforce mode:

# aa-enforce /etc/apparmor.d/*

Any unconfined processes may need to have a profile created or activated for them and then be restarted.

See Also

https://workbench.cisecurity.org/files/3399

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv6|14.4, CSCv7|14.6

Plugin: Unix

Control ID: 7e4f778c1ff2b06ea2b6c540071c2c33e517c20a2a06eba16f6cf155ce3051da