An error occurred:

Check: RIIM-OS-431015

Riverbed NetIM OS STIG: RIIM-OS-431015 (in version v1 r1)

Title

Ubuntu OS must be configured to use AppArmor. (Cat II impact)

Discussion

Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000324-GPOS-00125

Check Content

Verify Ubuntu OS AppArmor is active by using the following commands: $ systemctl is-enabled apparmor.service enabled $ systemctl is-active apparmor.service active If "apparmor.service" is not enabled and active, this is a finding. Check if AppArmor profiles are loaded and enforced by using the following command: $ sudo apparmor_status | grep -i profile 32 profiles are loaded. 32 profiles are in enforce mode. 0 profiles are in complain mode. 0 profiles are in kill mode. 0 profiles are in unconfined mode. 2 processes have profiles defined. 0 processes are unconfined but have a profile defined. If no profiles are loaded and enforced, this is a finding.

Fix Text

Enable and start "apparmor.service" by using the following command: $ sudo systemctl enable apparmor.service --now Note: AppArmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. See the AppArmor documentation for more information on configuring profiles.

Additional Identifiers

Rule ID: SV-275646r1147988_rule

Vulnerability ID: V-275646

Group Title: SRG-OS-000368-GPOS-00154

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001764

Prevent program execution in accordance with organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.
CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
CCI-002235

Prevent non-privileged users from executing privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6(10)

Prohibit Non-privileged Users from Executing Privileged Functions
CM-7(2)

Prevent Program Execution
CM-7(5)

Authorized Software — Allow-by-exception