{"description": "Verify that the Apparmor tool is configured to\ncontrol whitelisted applications and user home directory access\ncontrol.<br/><br/>\n\nThe <code>apparmor</code> service can be enabled with the following command:\n<pre>$ sudo systemctl enable apparmor.service</pre>", "rationale": "Using a whitelist provides a configuration management method for allowing\nthe execution of only authorized software. Using only authorized software\ndecreases risk by limiting the number of potential vulnerabilities.<br/><br/>\n\nThe organization must identify authorized software programs and permit\nexecution of authorized software by adding each authorized program to the\n\"pam_apparmor\" exception policy. The process used to identify software\nprograms that are authorized to execute on organizational information\nsystems is commonly referred to as whitelisting.<br/><br/>\n\nVerification of whitelisted software occurs prior to execution or at system\nstartup.<br/><br/>\n\nUsers' home directories/folders may contain information of a sensitive\nnature. Nonprivileged users should coordinate any sharing of information\nwith a System Administrator (SA) through shared resources.<br/><br/>\n\nApparmor can confine users to their home directory, not allowing them to\nmake any changes outside of their own home directories. Confining users to\ntheir home directory will minimize the risk of sharing information.", "severity": "medium", "references": {"nist": ["AC-3(4)", "AC-6(8)", "AC-6(10)", "CM-7(5)(b)", "CM-7(2)", "SC-7(21)", "CM-6(a)"], "srg": ["SRG-OS-000312-GPOS-00122", "SRG-OS-000312-GPOS-00123", "SRG-OS-000312-GPOS-00124", "SRG-OS-000324-GPOS-00125", "SRG-OS-000326-GPOS-00126", "SRG-OS-000370-GPOS-00155", "SRG-OS-000480-GPOS-00230", "SRG-OS-000480-GPOS-00227", "SRG-OS-000480-GPOS-00231", "SRG-OS-000480-GPOS-00232"], "anssi": ["R45"], "stigid": ["UBTU-22-431015"], "stigref": ["SV-260557r958804_rule"]}, "control_references": {"anssi": ["R45"], "stigid": ["UBTU-22-431015"]}, "components": [], "identifiers": {}, "ocil_clause": "it is not", "ocil": "\n\nRun the following command to determine the current status of the\n<code>apparmor</code> service:\n<pre>$ sudo systemctl is-active apparmor</pre>\nIf the service is running, it should return the following: <pre>active</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "apparmor_configured.sh", "relative_path": "ubuntu2204/checks/sce/apparmor_configured.sh"}, "inherited_platforms": ["machine"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["machine"], "bash_conditional": null, "fixes": {}, "title": "Ensure AppArmor is Active and Configured", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/apparmor/apparmor_configured/rule.yml", "template": {"name": "service_enabled", "vars": {"servicename": "apparmor", "packagename": "apparmor"}, "backends": {}}}