STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

Pam_Apparmor must be configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user, change security attributes, and to confine all non-privileged users from executing functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

DISA Rule

SV-219322r610963_rule

Vulnerability Number

V-219322

Group Title

SRG-OS-000312-GPOS-00122

Rule Version

UBTU-18-010437

Severity

CAT III

CCI(s)

• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
• CCI-002165 - The information system enforces organization-defined discretionary access control policies over defined subjects and objects.

Weight

10

Fix Recommendation

Configure the Ubuntu operating system to allow system administrators to pass information to any other Ubuntu operating system administrator or user.

Install "Pam_Apparmor" (if it is not installed) with the following command:

# sudo apt-get install libpam-apparmor

Enable/Activate "Apparmor" (if it is not already active) with the following command:

# sudo systemctl enable apparmor.service

Start "Apparmor" with the following command:

# sudo systemctl start apparmor.service

Note: Pam_Apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "Pam_Apparmor" documentation for more information on configuring profiles.

Check Contents

Verify that the Ubuntu operating system is configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user.

Check that "Pam_Apparmor" is installed on the system with the following command:

# dpkg -l | grep -i apparmor

ii libpam-apparmor 2.10.95-0Ubuntu2.6

If the "Pam_Apparmor" package is not installed, this is a finding.

Check that the "AppArmor" daemon is running with the following command:

# systemctl status apparmor.service | grep -i active

If something other than "Active: active" is returned, this is a finding.

Note: Pam_Apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "Pam_Apparmor" documentation for more information on configuring profiles.

Vulnerability Number

V-219322

Documentable

False

Rule Version

UBTU-18-010437

Severity Override Guidance

Verify that the Ubuntu operating system is configured to allow system administrators to pass information to any other Ubuntu operating system administrator or user.

Check that "Pam_Apparmor" is installed on the system with the following command:

# dpkg -l | grep -i apparmor

ii libpam-apparmor 2.10.95-0Ubuntu2.6

If the "Pam_Apparmor" package is not installed, this is a finding.

Check that the "AppArmor" daemon is running with the following command:

# systemctl status apparmor.service | grep -i active

If something other than "Active: active" is returned, this is a finding.

Note: Pam_Apparmor must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "Pam_Apparmor" documentation for more information on configuring profiles.

Check Content Reference

M

Target Key

4055

Comments