Powered by GitBook

Enable pam_apparmor

Description

Configure pam_apparmor to attach profiles based on the user or task level.

Rationale

pam_apparmor can be configured to ensure that only the privileges explicitly granted in the AppArmor configuration files are available to the user or task.

Audit

@test "Verify pam_apparmor" {
  run bash -c "grep 'session.*pam_apparmor.so order=user,group,default' /etc/pam.d/*"
  [ "$status" -eq 0 ]
}

Remediation

shell

if ! grep 'session.*pam_apparmor.so order=user,group,default' /etc/pam.d/*; then
  echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor
fi

References

https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor

results matching ""

No results matching ""