← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit privileged execution of /sbin/apparmor_parser (Ubuntu)

audit-priv-apparmor_parser · UBUNTU ≥ 22 · 1 impl

Description

All uses of the /sbin/apparmor_parser command must generate an audit record so that AppArmor policy changes can be traced to an individual.

Rationale

Auditing execution of privileged commands allows detection of misuse and supports forensic investigation of privilege escalation.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
Remediateaudit_rule_set
rule:
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
persist_file:
/etc/audit/rules.d/50-priv-apparmor_parser.rules

Framework references

STIG

V-270793 / UBTU-24-900220V-260604 / UBTU-22-654010

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#privileged