Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== 1.6.2.2 Ensure all AppArmor Profiles are enforcing (Scored) ====== =====Profile Applicability===== <code> Level 2 - Server Level 2 - Workstation </code> =====Description===== AppArmor profiles define what resources applications are able to access. =====Rationale===== Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated. =====Audit===== Run the following command and verify that profiles are loaded, no profiles are in complain mode, and no processes are unconfined: <Code:bash> # apparmor_status apparmor module is loaded. 17 profiles are loaded. 17 profiles are in enforce mode. /bin/ping /sbin/klogd /sbin/syslog-ng /sbin/syslogd /usr/lib/PolicyKit/polkit-explicit-grant-helper /usr/lib/PolicyKit/polkit-grant-helper /usr/lib/PolicyKit/polkit-grant-helper-pam /usr/lib/PolicyKit/polkit-read-auth-helper /usr/lib/PolicyKit/polkit-resolve-exe-helper /usr/lib/PolicyKit/polkit-revoke-helper /usr/lib/PolicyKit/polkitd /usr/sbin/avahi-daemon /usr/sbin/identd /usr/sbin/mdnsd /usr/sbin/nscd /usr/sbin/ntpd /usr/sbin/traceroute 0 profiles are in complain mode. 1 processes have profiles defined. 1 processes are in enforce mode : /usr/sbin/nscd (3979) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. </Code> =====Remediation===== Run the following command to set all profiles to enforce mode: <Code:bash> # aa-enforce /etc/apparmor.d/* </Code> Any unconfined processes may need to have a profile created or activated for them and then be restarted. ubuntu1604/1/6/2/2.txt Last modified: 2017/05/02 17:20by Piotr Kłoczewski