All AppArmor Profiles are in enforce or complain mode

Docs > Datadog Security > OOTB Rules > All AppArmor Profiles are in enforce or complain mode

Classification:

compliance

Framework:

Control:

Description

AppArmor profiles define what resources applications are able to access. To set all profiles to either enforce or complain mode run the following command to set all profiles to enforce mode:

$ sudo aa-enforce /etc/apparmor.d/*

run the following command to set all profiles to complain mode:

$ sudo aa-complain /etc/apparmor.d/*

To list unconfined processes run the following command:

$ sudo apparmor_status | grep processes

Any unconfined processes may need to have a profile created or activated for them and then be restarted.

Rationale

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var\_apparmor\_mode='complain'


# make sure apparmor-utils is installed for aa-complain and aa-enforce
DEBIAN\_FRONTEND=noninteractive apt-get install -y "apparmor-utils"

# Reload all AppArmor profiles
apparmor\_parser -q -r /etc/apparmor.d/

# Set the mode
APPARMOR\_MODE="$var\_apparmor\_mode"

if [ "$APPARMOR\_MODE" = "enforce" ]
then
 # Set all profiles to enforce mode
 aa-enforce /etc/apparmor.d/\*
fi

if [ "$APPARMOR\_MODE" = "complain" ]
then
 # Set all profiles to complain mode
 aa-complain /etc/apparmor.d/\*
fi


UNCONFINED=$(aa-status | grep "processes are unconfined" | awk '{print $1;}')
if [ $UNCONFINED -ne 0 ];

then
 echo -e "\*\*\*WARNING\*\*\*: There are some unconfined processes:"
 echo -e "----------------------------"
 echo "The may need to have a profile created or activated for them and then be restarted."
 for PROCESS in "${UNCONFINED[@]}"
 do
 echo "$PROCESS"
 done
 echo -e "----------------------------"
 echo "The may need to have a profile created or activated for them and then be restarted."
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi