From b7d2f01f9f3cd6a18a210b1568f56d1c1e69edb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20lengronne?= Date: Tue, 21 Mar 2023 20:26:02 +0100 Subject: [PATCH] Apparmor as alternative to SELinux in auditd (#177) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée lengronne Signed-off-by: Tim Smith Co-authored-by: Tim Smith --- core/mondoo-linux-security.mql.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml index 7a35d30c..a564d8f3 100644 --- a/core/mondoo-linux-security.mql.yaml +++ b/core/mondoo-linux-security.mql.yaml @@ -1430,7 +1430,7 @@ queries: Example: `vi /etc/audit/rules.d/50-MAC_policy.rules` - Add the following lines: + Add the following lines, for SELinux: ``` -w /etc/selinux/ -p wa -k MAC-policy @@ -1438,6 +1438,14 @@ queries: -w /usr/share/selinux/ -p wa -k MAC-policy ``` + Add the following lines, for AppArmor: + + ``` + -w /etc/apparmor/ -p wa -k MAC-policy + + -w /etc/apparmor.d/ -p wa -k MAC-policy + ``` + To load the newly added rules into the running configuration: ``` @@ -1455,7 +1463,9 @@ queries: file('/etc/audit/audit.rules').exists if (file('/etc/audit/audit.rules').exists) { file('/etc/audit/audit.rules').content.lines.contains(/^(\s+)?\-w\s+\/etc\/selinux\s+\-p\s+\wa\s+\-k\s+MAC\-policy(\s+)?$/) + || file('/etc/audit/audit.rules').content.lines.contains(/^(\s+)?\-w\s+\/etc\/apparmor\s+\-p\s+\wa\s+\-k\s+MAC\-policy(\s+)?$/) file('/etc/audit/audit.rules').content.lines.contains(/^(\s+)?\-w\s+\/usr\/share\/selinux\s+\-p\s+\wa\s+\-k\s+MAC\-policy(\s+)?$/) + || file('/etc/audit/audit.rules').content.lines.contains(/^(\s+)?\-w\s+\/etc\/apparmor.d\s+\-p\s+\wa\s+\-k\s+MAC\-policy(\s+)?$/) } - uid: mondoo-linux-security-events-that-modify-the-systems-network-environment-are-collected title: Ensure events that modify the system's network environment are collected