Skip to content

1.6.1.4 Ensure all AppArmor Profiles are enforcing

Audit#

Run the following commands and verify that profiles are loaded and are not in complain mode: 

# apparmor_status | grep profiles

Review output and ensure that profiles are loaded, and in enforce mode: 

34 profiles are loaded.
34 profiles are in enforce mode.
0 profiles are in complain mode.
2 processes have profiles defined.

Run the following command and verify that no processes are unconfined: 

apparmor_status | grep processes

Review the output and ensure no processes are unconfined: 

2 processes have profiles defined.
2 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Remediation#

Run the following command to set all profiles to enforce mode: 

# aa-enforce /etc/apparmor.d/*

Note: Any unconfined processes may need to have a profile created or activated for them and then be restarted