Ensure AppArmor is enabled in the bootloader configuration

Docs > Datadog Security > OOTB Rules > Ensure AppArmor is enabled in the bootloader configuration

Classification:

compliance

Framework:

Control:

Description

Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters.

Note: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment, enact equivalent settings.

Rationale

AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB\_CMDLINE\_LINUX=.\*apparmor=.\*"' '/etc/default/grub' ; then
 # modify the GRUB command-line if an apparmor= arg already exists
 sed -i "s/\(^GRUB\_CMDLINE\_LINUX=\".\*\)apparmor=[^[:space:]]\+\(.\*\"\)/\1apparmor=1\2/" '/etc/default/grub'
else
 # no apparmor=arg is present, append it
 sed -i "s/\(^GRUB\_CMDLINE\_LINUX=\".\*\)\"/\1 apparmor=1\"/" '/etc/default/grub'
fi
# Correct the form of default kernel command line in GRUB
if grep -q '^GRUB\_CMDLINE\_LINUX=.\*security=.\*"' '/etc/default/grub' ; then
 # modify the GRUB command-line if an security= arg already exists
 sed -i "s/\(^GRUB\_CMDLINE\_LINUX=\".\*\)security=[^[:space:]]\+\(.\*\"\)/\1security=apparmor\2/" '/etc/default/grub'
else
 # no security=arg is present, append it
 sed -i "s/\(^GRUB\_CMDLINE\_LINUX=\".\*\)\"/\1 security=apparmor\"/" '/etc/default/grub'
fi


update-grub

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi