5.1 Verify AppArmor


AppArmor is an effective and easy-to-use Linux application security system. It is available
on quite a few Linux distributions by default such as Debian and Ubuntu.

AppArmor protects the Linux OS and applications from various threats by enforcing
security policy which is also known as AppArmor profile. You should create a AppArmor
profile for your containers. This would enforce security policies on the containers as
defined in the profile.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


If AppArmor is applicable for your Linux OS, use it. You may have to follow below set of

1. Verify if AppArmor is installed. If not, install it.
2. Create or import a AppArmor profile for Docker containers.
3. Put this profile in enforcing mode.
4. Start your Docker container using the Docker AppArmor profile. For example,docker run -i -t --security-opt='apparmor-PROFILENAME' centos /bin/bash
Impact-The container (process) would have set of restrictions as defined in AppArmor profile. If
your AppArmor profile is mis-configured, then the container may not entirely work as
expected.Default Value-By default, no AppArmor profiles are applied on containers.

See Also


Item Details


References: 800-53|AC-3(3)

Plugin: Unix

Control ID: 2701488368b16f36f6abeea8ee8a7fecc54f5cccf75ceb1dacb9ad7ef12c46f3