AppArmor Policy Bypass via Direct File Manipulation
This rule detects processes attempting to bypass AppArmor protections by directly writing to AppArmor policy management files in `/sys/kernel/security/apparmor/`.
This rule detects attempts to bypass AppArmor by directly writing to policy management files. AppArmor is a Linux kernel security module that provides mandatory access control, and direct manipulation of its policy files is highly unusual. The activity is triggered when processes attempt to load, replace, or remove AppArmor profiles by writing to the special kernel interfaces under /sys/kernel/security/apparmor/. While legitimate administrative tools like apparmor_parser handle policy management, direct interaction with these files from shell utilities or scripts could signify malicious intent. This technique may be used by adversaries to weaken or disable AppArmor protections, introduce malicious profiles, or exploit vulnerabilities in the AppArmor policy parser, often as a component of local privilege escalation chains. The rule is sourced from Elastic and has been actively maintained.
Attack Chain
- Attacker gains initial access to the system (e.g., via compromised service or account).
- Attacker executes a shell (bash, sh, zsh) or scripting language (python, perl) on the target system.
- The shell or scripting language attempts to write to AppArmor policy management files under
/sys/kernel/security/apparmor/, such as.load,.replace, or.remove. This can be achieved using utilities likeecho,tee, orcat. - The attacker attempts to load a modified or weakened AppArmor profile using
echo "profile <profile_name> {...}" > /sys/kernel/security/apparmor/.load. - Alternatively, the attacker attempts to remove an existing profile with
echo "<profile_name>" > /sys/kernel/security/apparmor/.remove. - If successful, the AppArmor policy is modified, potentially weakening the security posture.
- The attacker leverages the weakened AppArmor profile to execute previously restricted actions.
- The attacker performs privilege escalation by exploiting the relaxed security constraints.
Impact
Successful exploitation could lead to a complete bypass of AppArmor protections, allowing attackers to perform actions normally restricted by the security policy. This could result in privilege escalation, unauthorized access to sensitive data, and the ability to install malware or perform other malicious activities. The Qualys advisory "CrackArmor" details critical AppArmor flaws that enable local privilege escalation to root when these protections are circumvented. The rule is sourced from Elastic and has been actively maintained.
Recommendation
- Deploy the Sigma rule
Suspicious AppArmor Policy Modificationto your SIEM and tune for your environment to detect direct writes to AppArmor policy management files. - Enable process creation logging with command-line arguments to capture the full command being executed (reference:
logsource.category: process_creation). - Investigate any alerts generated by the
Suspicious AppArmor Policy Modificationrule, focusing on the parent process and the content being written to the AppArmor policy files. - Review the investigation guide within the rule's note section for guidance on triage, false positive analysis, response, and remediation.
Detection coverage 3
Suspicious AppArmor Policy Modification
highDetects processes attempting to modify AppArmor policies by writing to the /sys/kernel/security/apparmor directory.
Suspicious Shell Activity Writing to AppArmor
mediumDetects shell commands writing directly to AppArmor policy files.
Scripting Languages Writing to AppArmor Policy
mediumDetects scripting languages (Python, Perl, etc.) writing to AppArmor policy management files.
Detection queries are available on the platform. Get full rules →