Ensure AppArmor is not disabled in bootloader configuration

Details

Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.

Solution

Edit /etc/default/grub and remove all instances of apparmor=0 from all CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT=”quiet”GRUB_CMDLINE_LINUX=”” Run the following command to update the grub2 configuration: # update-grub

Supportive Information

The following resource is also helpful.

https://workbench.cisecurity.org/files/1866https://workbench.cisecurity.org/files/1866

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.

References

800-53|SI-7(9)
CSCv6|14.4

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles