12.3 Ensure the Apache AppArmor Profile Is in Enforce Mode

Information

AppArmor profiles may be in one of three modes: disabled, complain, or enforce. In the complain mode, any violations of the access controls are logged but the restrictions are not enforced. Also, once a profile mode has been changed, it is recommended to restart the Apache server, otherwise the currently running process may not be confined by the policy.

Rationale:

The complain mode is useful for testing and debugging a profile but is not appropriate for production. Only the confined process running in enforce mode will prevent attacks that violate the configured access controls.

Solution

Perform the following to implement the recommended state:

1. Set the profile state to enforce mode.

# aa-enforce apache2
Setting /usr/sbin/apache2 to enforce mode.

2. Stop the Apache server and confirm that is it not running. In some cases, the AppArmor controls may prevent the web server from stopping properly, and it may be necessary to stop the process manually or even reboot the server.

# service apache2 stop
* Stopping web server apache2
# service apache2 status
* apache2 is not running

3. Restart the Apache service.

# service apache2 start
* Starting web server apache2

See Also

https://workbench.cisecurity.org/files/2020

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|2.2

Plugin: Unix

Control ID: 9ff72fddf4ba8692dd278fa653698e43410af28a6fe38daf8d5f33806c9091ff