search

sandevistan-server-hardening / CIS_Ubuntu_22.04_LTS_Benchmark_v1.0.0

Audit script based on CIS Ubuntu 22.04 LTS Benchmark v1.0.0
MIT License
1 stars 0 forks source link

1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode #39

Open scfast opened 1 year ago

scfast commented 1 year ago

Profile Applicability:  Level 1 - Server  Level 1 - Workstation

Description: AppArmor profiles define what resources applications are able to access.

Rationale: Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any policies that exist on the system are activated.

Audit: Run the following command and verify that profiles are loaded, and are in either enforce or complain mode:

# apparmor_status | grep profiles

Review output and ensure that profiles are loaded, and in either enforce or complain mode:

37 profiles are loaded.
35 profiles are in enforce mode.
2 profiles are in complain mode.
4 processes have profiles defined.

Run the following command and verify no processes are unconfined

# apparmor_status | grep processes

Review the output and ensure no processes are unconfined:

4 processes have profiles defined.
4 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.