Skip to content

1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode

Audit#

Run the following command and verify that profiles are loaded, and are in either enforce or complain mode: 

# apparmor_status | grep profiles

Review output and ensure that profiles are loaded, and in either enforce or complain mode: 

37 profiles are loaded.
35 profiles are in enforce mode.
2 profiles are in complain mode.
4 processes have profiles defined.

Run the following command and verify no processes are unconfined 

# apparmor_status | grep processes

Review the output and ensure no processes are unconfined: 

4 processes have profiles defined.
4 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Remediation#

Run the following command to set all profiles to enforce mode: 

# aa-enforce /etc/apparmor.d/*

OR

Run the following command to set all profiles to complain mode: 

# aa-complain /etc/apparmor.d/*

Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted