Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled
No violationsstackroxmediumdeployAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.
- Rationale
- AppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.
- Remediation
- If AppArmor is applicable for your Linux OS, you should enable it. Verify AppArmor is installed, create or import an AppArmor profile for your containers, enable enforcement of the policy, and add the appropriate AppArmor annotations to your deployment.
CategoriesDocker CIS
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.2.11
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2CM-6
- PCI DSS 4.0
- 2.2.1
Generated artifacts
3 of 5 targets supporteddocker-cis-5-1-ensure-that-if-applicable-an-apparmor-profile-is.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: docker-cis-5-1-ensure-that-if-applicable-an-apparmor-profile-is
annotations:
policies.kyverno.io/title: Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled
policies.kyverno.io/category: Docker CIS
policies.kyverno.io/severity: medium
policies.kyverno.io/description: AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.
policies.kyverno.io/remediation: If AppArmor is applicable for your Linux OS, you should enable it. Verify AppArmor is installed, create or import an AppArmor profile for your containers, enable enforcement of the policy, and add the appropriate AppArmor annotations to your deployment.
policies.kyverno.io/rationale: AppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.
policies.io/source: stackrox
policies.io/source-id: 7448b475-8e80-4ece-bc9b-b9845c003a6f
spec:
validationFailureAction: Audit
background: true
rules:
- name: docker-cis-5-1-ensure-that-if-applicable-an-apparm
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled" violated: AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.'
deny:
conditions:
all:
- key: "{{ request.object.metadata.annotations || `{}` }}"
operator: AnyIn
value:
- "container.apparmor.security.beta.kubernetes.io/*: unconfined"
IR (canonical)
{
"id": "7448b475-8e80-4ece-bc9b-b9845c003a6f",
"name": "Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled",
"description": "AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.",
"rationale": "AppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.",
"remediation": "If AppArmor is applicable for your Linux OS, you should enable it. Verify AppArmor is installed, create or import an AppArmor profile for your containers, enable enforcement of the policy, and add the appropriate AppArmor annotations to your deployment.",
"severity": "medium",
"categories": [
"Docker CIS"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "apparmor-profile",
"values": [
"unconfined"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "7448b475-8e80-4ece-bc9b-b9845c003a6f",
"name": "Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled",
"description": "AppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.",
"rationale": "AppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.",
"remediation": "If AppArmor is applicable for your Linux OS, you should enable it. Verify AppArmor is installed, create or import an AppArmor profile for your containers, enable enforcement of the policy, and add the appropriate AppArmor annotations to your deployment.",
"disabled": false,
"categories": [
"Docker CIS"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "Section 1",
"policyGroups": [
{
"fieldName": "AppArmor Profile",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "unconfined"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}