Details
AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the
default Discretionary Access Control (DAC) model.
*Rationale*
For an action to occur, both the traditional DAC permissions must be satisfied as well as the
AppArmor MAC rules. The action will not be allowed if either one of these models does not
permit the action. In this way, AppArmor rules can only make a system’s permissions more
restrictive and secure.
Solution
Install apparmor and apparmor-utils if missing (additional profiles can be found in the
apparmor-profiles package)-# apt-get install apparmor apparmor-utilsRemove apparmor=0 from all kernels in /boot/grub/menu.lst-kernel /boot/vmlinuz-3.0.80-0.7-ec2 root=/dev/sda1 xencons=xvc0 console=xvc0
splash=silent showoptsSet all profiles to enforce mode-# aa-enforce /etc/apparmor.d/*Any unconfined processes may need to have a profile created or activated for them and
then be restarted.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.