5.1 Do not disable AppArmor

Information

AppArmor is an effective and easy-to-use Linux application security system. It is available
on quite a few Linux distributions by default such as Debian and Ubuntu.AppArmor protects the Linux OS and applications from various threats by enforcing
security policy which is also known as AppArmor profile. You can create your own
AppArmor profile for containers or use the Docker's default AppArmor profile. This would
enforce security policies on the containers as defined in the profile.

Solution

If AppArmor is applicable for your Linux OS, use it. You may have to follow below set of
steps-1. Verify if AppArmor is installed. If not, install it.
2. Create or import a AppArmor profile for Docker containers.
3. Put this profile in enforcing mode.
4. Start your Docker container using the customized AppArmor profile. For example,docker run --interactive --tty --security-opt='apparmor-PROFILENAME' centos /bin/bashAlternatively, you can keep the docker's default apparmor profile
Impact-The container (process) would have set of restrictions as defined in AppArmor profile. If
your AppArmor profile is mis-configured, then the container may not entirely work as
expected.Default Value-By default, docker-default AppArmor profile is applied for running containers and this
profile can be found at /etc/apparmor.d/docker.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(3)

Plugin: Unix

Control ID: 375b09628e3b5e15e9269c252871aa28cd8895e0942c596bd477ad59d71ffcdd