Apparmor as alternative to SELinux in auditd (#177)

Signed-off-by: Michée lengronne <[email protected]> Signed-off-by: Tim Smith <[email protected]> Co-authored-by: Tim Smith <[email protected]>
mondoohq · Mar 21, 2023 · b7d2f01 · b7d2f01
1 parent 4e6ccb7
commit b7d2f01
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml
@@ -1430,14 +1430,22 @@ queries:
 
         Example: `vi /etc/audit/rules.d/50-MAC_policy.rules`
 
-        Add the following lines:
+        Add the following lines, for SELinux:
 
         ```
         -w /etc/selinux/ -p wa -k MAC-policy
 
         -w /usr/share/selinux/ -p wa -k MAC-policy
         ```
 
+        Add the following lines, for AppArmor:
+
+        ```
+        -w /etc/apparmor/ -p wa -k MAC-policy
+
+        -w /etc/apparmor.d/ -p wa -k MAC-policy
+        ```
+
         To load the newly added rules into the running configuration:
 
         ```
@@ -1455,7 +1463,9 @@ queries:
       file('/etc/audit/audit.rules').exists
       if (file('/etc/audit/audit.rules').exists) {
         file('/etc/audit/audit.rules').content.lines.contains(/^(\s+)?\-w\s+\/etc\/selinux\s+\-p\s+\wa\s+\-k\s+MAC\-policy(\s+)?$/)
+          || file('/etc/audit/audit.rules').content.lines.contains(/^(\s+)?\-w\s+\/etc\/apparmor\s+\-p\s+\wa\s+\-k\s+MAC\-policy(\s+)?$/)
         file('/etc/audit/audit.rules').content.lines.contains(/^(\s+)?\-w\s+\/usr\/share\/selinux\s+\-p\s+\wa\s+\-k\s+MAC\-policy(\s+)?$/)
+          || file('/etc/audit/audit.rules').content.lines.contains(/^(\s+)?\-w\s+\/etc\/apparmor.d\s+\-p\s+\wa\s+\-k\s+MAC\-policy(\s+)?$/)
       }
   - uid: mondoo-linux-security-events-that-modify-the-systems-network-environment-are-collected
     title: Ensure events that modify the system's network environment are collected