AppArmor Profile Compilation via apparmor_parser
Adversaries may abuse `apparmor_parser` to compile custom AppArmor profiles, potentially weakening security controls and facilitating privilege escalation on Linux systems.
The apparmor_parser tool is used to compile AppArmor profiles on Linux systems. While typically used by system administrators and package installation scripts, adversaries can abuse this tool to compile malicious AppArmor profiles. These profiles can then be loaded into the kernel, potentially weakening security controls, altering the behavior of privileged programs, or assisting in exploitation chains. Detecting the use of apparmor_parser with output redirection flags such as -o is crucial for identifying potential attempts to manipulate AppArmor policies for malicious purposes. This activity is a component of defense evasion, enabling attackers to potentially disable security tools.
Attack Chain
- An attacker gains initial access to a Linux system, often through methods outside the scope of this specific detection (e.g., exploiting a vulnerability, compromised credentials).
- The attacker escalates privileges to root, which is typically required to modify or load AppArmor profiles.
- The attacker creates a malicious AppArmor profile. This profile might weaken restrictions on specific processes or grant excessive permissions.
- The attacker executes
apparmor_parserwith the-ooption (or similar variants) to compile the malicious AppArmor profile to a file. - The attacker loads the compiled profile into the AppArmor kernel module using tools like
apparmor_statusor other policy management interfaces, replacing an existing policy or adding a new one. - The attacker restarts the service targeted by the malicious AppArmor profile, or triggers a reload of AppArmor policies, to activate the new profile.
- The attacker leverages the weakened security controls to execute malicious code, escalate privileges further, or maintain persistence.
- The attacker achieves their final objective, such as data exfiltration, system compromise, or denial of service.
Impact
A successful attack using a maliciously compiled AppArmor profile can lead to significant compromise of a Linux system. Weakening AppArmor policies can allow attackers to bypass security restrictions, escalate privileges, and execute arbitrary code with elevated permissions. This can result in data breaches, system instability, or complete system takeover. The impact is amplified if critical services like sshd, sudo, or container runtimes are targeted.
Recommendation
- Implement the Sigma rule
AppArmor Profile Compilation via apparmor_parserto detect the execution ofapparmor_parserwith output options. - Enable process monitoring and audit logging on Linux systems to capture command-line arguments for process executions.
- Monitor for modifications to AppArmor policy directories (e.g.,
/etc/apparmor.d/) and policy loading events. - Implement strict access controls on AppArmor policy files and restrict who can load or modify policies.
- Investigate any unexpected executions of
apparmor_parseror modifications to AppArmor policies, especially when originating from unknown or untrusted sources.
Detection coverage 2
AppArmor Profile Compilation via apparmor_parser
mediumDetects the execution of `apparmor_parser` with arguments used to specify an output file, which may indicate malicious profile compilation.
AppArmor Policy Load via apparmor_status
lowDetects the usage of apparmor_status to load or reload apparmor policies, which can follow malicious compilation
Detection queries are available on the platform. Get full rules →