Skip to content
Threat Feed
medium advisory

AppArmor Policy Bypass via Direct File Manipulation

This rule detects processes attempting to bypass AppArmor protections by directly writing to AppArmor policy management files in `/sys/kernel/security/apparmor/`.

This rule detects attempts to bypass AppArmor by directly writing to policy management files. AppArmor is a Linux kernel security module that provides mandatory access control, and direct manipulation of its policy files is highly unusual. The activity is triggered when processes attempt to load, replace, or remove AppArmor profiles by writing to the special kernel interfaces under /sys/kernel/security/apparmor/. While legitimate administrative tools like apparmor_parser handle policy management, direct interaction with these files from shell utilities or scripts could signify malicious intent. This technique may be used by adversaries to weaken or disable AppArmor protections, introduce malicious profiles, or exploit vulnerabilities in the AppArmor policy parser, often as a component of local privilege escalation chains. The rule is sourced from Elastic and has been actively maintained.

Attack Chain

  1. Attacker gains initial access to the system (e.g., via compromised service or account).
  2. Attacker executes a shell (bash, sh, zsh) or scripting language (python, perl) on the target system.
  3. The shell or scripting language attempts to write to AppArmor policy management files under /sys/kernel/security/apparmor/, such as .load, .replace, or .remove. This can be achieved using utilities like echo, tee, or cat.
  4. The attacker attempts to load a modified or weakened AppArmor profile using echo "profile <profile_name> {...}" > /sys/kernel/security/apparmor/.load.
  5. Alternatively, the attacker attempts to remove an existing profile with echo "<profile_name>" > /sys/kernel/security/apparmor/.remove.
  6. If successful, the AppArmor policy is modified, potentially weakening the security posture.
  7. The attacker leverages the weakened AppArmor profile to execute previously restricted actions.
  8. The attacker performs privilege escalation by exploiting the relaxed security constraints.

Impact

Successful exploitation could lead to a complete bypass of AppArmor protections, allowing attackers to perform actions normally restricted by the security policy. This could result in privilege escalation, unauthorized access to sensitive data, and the ability to install malware or perform other malicious activities. The Qualys advisory "CrackArmor" details critical AppArmor flaws that enable local privilege escalation to root when these protections are circumvented. The rule is sourced from Elastic and has been actively maintained.

Recommendation

  • Deploy the Sigma rule Suspicious AppArmor Policy Modification to your SIEM and tune for your environment to detect direct writes to AppArmor policy management files.
  • Enable process creation logging with command-line arguments to capture the full command being executed (reference: logsource.category: process_creation).
  • Investigate any alerts generated by the Suspicious AppArmor Policy Modification rule, focusing on the parent process and the content being written to the AppArmor policy files.
  • Review the investigation guide within the rule's note section for guidance on triage, false positive analysis, response, and remediation.

Detection coverage 3

Suspicious AppArmor Policy Modification

high

Detects processes attempting to modify AppArmor policies by writing to the /sys/kernel/security/apparmor directory.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, linux

Suspicious Shell Activity Writing to AppArmor

medium

Detects shell commands writing directly to AppArmor policy files.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, linux

Scripting Languages Writing to AppArmor Policy

medium

Detects scripting languages (Python, Perl, etc.) writing to AppArmor policy management files.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →