Back to catalog

Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled

No violationsstackroxmediumdeploy

AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.

Rationale
AppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.
Remediation
If AppArmor is applicable for your Linux OS, you should enable it. Verify AppArmor is installed, create or import an AppArmor profile for your containers, enable enforcement of the policy, and add the appropriate AppArmor annotations to your deployment.
CategoriesDocker CIS
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.2.11
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2CM-6
PCI DSS 4.0
2.2.1

Generated artifacts

3 of 5 targets supported
docker-cis-5-1-ensure-that-if-applicable-an-apparmor-profile-is.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: docker-cis-5-1-ensure-that-if-applicable-an-apparmor-profile-is
  annotations:
    policies.kyverno.io/title: Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled
    policies.kyverno.io/category: Docker CIS
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.
    policies.kyverno.io/remediation: If AppArmor is applicable for your Linux OS, you should enable it.  Verify AppArmor is installed, create or import an AppArmor profile for your containers, enable enforcement of the policy, and add the appropriate AppArmor annotations to your deployment.
    policies.kyverno.io/rationale: AppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.
    policies.io/source: stackrox
    policies.io/source-id: 7448b475-8e80-4ece-bc9b-b9845c003a6f
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: docker-cis-5-1-ensure-that-if-applicable-an-apparm
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled" violated: AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.'
        deny:
          conditions:
            all:
              - key: "{{ request.object.metadata.annotations || `{}` }}"
                operator: AnyIn
                value:
                  - "container.apparmor.security.beta.kubernetes.io/*: unconfined"
IR (canonical)
{
  "id": "7448b475-8e80-4ece-bc9b-b9845c003a6f",
  "name": "Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled",
  "description": "AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.",
  "rationale": "AppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.",
  "remediation": "If AppArmor is applicable for your Linux OS, you should enable it.  Verify AppArmor is installed, create or import an AppArmor profile for your containers, enable enforcement of the policy, and add the appropriate AppArmor annotations to your deployment.",
  "severity": "medium",
  "categories": [
    "Docker CIS"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "apparmor-profile",
    "values": [
      "unconfined"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "7448b475-8e80-4ece-bc9b-b9845c003a6f",
  "name": "Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled",
  "description": "AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.",
  "rationale": "AppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.",
  "remediation": "If AppArmor is applicable for your Linux OS, you should enable it.  Verify AppArmor is installed, create or import an AppArmor profile for your containers, enable enforcement of the policy, and add the appropriate AppArmor annotations to your deployment.",
  "disabled": false,
  "categories": [
    "Docker CIS"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "Section 1",
      "policyGroups": [
        {
          "fieldName": "AppArmor Profile",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "unconfined"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}