Ensure AppArmor is Active and Configured

An XCCDF Rule

Description

Verify that the Apparmor tool is configured to control whitelisted applications and user home directory access control.

The apparmor service can be enabled with the following command:

$ sudo systemctl enable apparmor.service

Rationale

Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities.

The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.

Verification of whitelisted software occurs prior to execution or at system startup.

Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.

Apparmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information.

ID: xccdf_org.ssgproject.content_rule_apparmor_configured
Severity: Medium
References: CCI-001764 CCI-001774 CCI-002165 CCI-002233 CCI-002235

AC-3(4) AC-6(10) AC-6(8) CM-6(a) CM-7(2) CM-7(5)(b) SC-7(21)

SRG-OS-000312-GPOS-00122 SRG-OS-000312-GPOS-00123 SRG-OS-000312-GPOS-00124 SRG-OS-000324-GPOS-00125 SRG-OS-000326-GPOS-00126 SRG-OS-000370-GPOS-00155 SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00230 SRG-OS-000480-GPOS-00231 SRG-OS-000480-GPOS-00232

SLES-15-010390

1.7.1.2

CCE-85752-4

SV-234848r854194_rule
Updated: about 1 year ago


[customizations.services]
enabled = ["apparmor"]

- name: Start apparmor.service
  systemd:
    name: apparmor.service
    state: started
    enabled: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]  tags:
  - CCE-85752-4
  - DISA-STIG-SLES-15-010390
  - NIST-800-53-AC-3(4)
  - NIST-800-53-AC-6(10)
  - NIST-800-53-AC-6(8)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(2)
  - NIST-800-53-CM-7(5)(b)
  - NIST-800-53-SC-7(21)
  - apparmor_configured
  - medium_severity

include enable_apparmor

class enable_apparmor {
  service {'apparmor':
    enable => true,
    ensure => 'running',  }
}

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Enable apparmor
/usr/bin/systemctl enable "apparmor"
/usr/bin/systemctl start "apparmor"# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
if /usr/bin/systemctl --failed | grep -q "apparmor"; then
    /usr/bin/systemctl reset-failed "apparmor"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure AppArmor is Active and Configured

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Puppet

Remediation - Shell Script