<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AppArmor - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/apparmor/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/apparmor/feed.xml" rel="self" type="application/rss+xml"/><item><title>AppArmor Policy Interface Tampering</title><link>https://feed.craftedsignal.io/briefs/2024-01-apparmor-policy-tampering/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-apparmor-policy-tampering/</guid><description>Detection of unauthorized access to AppArmor kernel policy control interfaces, specifically the `.load`, `.replace`, or `.remove` files, indicating potential defense evasion or policy tampering on Linux systems.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting attempts to tamper with AppArmor policies on Linux systems. AppArmor is a security module that provides mandatory access control, limiting the actions that processes can take. Attackers may try to modify or disable AppArmor policies to evade detection and execute malicious code with fewer restrictions. This is achieved by directly interacting with the AppArmor kernel policy control interfaces, specifically the <code>.load</code>, <code>.replace</code>, and <code>.remove</code> files located under <code>/sys/kernel/security/apparmor/</code>. These files are used to load, modify, or remove AppArmor profiles. The rule published on 2026-03-23 identifies abnormal access to these interfaces which could indicate unauthorized policy changes, defense evasion, or the installation of attacker-controlled profiles. This type of activity is particularly concerning in environments where AppArmor policy changes are uncommon or strictly controlled.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains initial access to the system, potentially through exploiting a vulnerability or using compromised credentials.</li>
<li><strong>Privilege Escalation:</strong> The attacker escalates privileges to root or another account with sufficient permissions to modify AppArmor policies. This may involve exploiting a kernel vulnerability or misconfigured sudo permissions.</li>
<li><strong>Defense Evasion:</strong> The attacker attempts to modify or disable AppArmor policies to evade detection and allow the execution of malicious code.</li>
<li><strong>Policy Modification:</strong> The attacker writes to <code>/sys/kernel/security/apparmor/.load</code>, <code>/sys/kernel/security/apparmor/.replace</code>, or <code>/sys/kernel/security/apparmor/.remove</code> to load a malicious AppArmor profile, replace an existing one with a weakened version, or remove a profile entirely.</li>
<li><strong>Persistence:</strong> The attacker establishes persistence by creating or modifying systemd units, cron jobs, or startup scripts that execute malicious code after the AppArmor policy is altered.</li>
<li><strong>Malicious Code Execution:</strong> The attacker executes malicious code that was previously blocked by AppArmor policies, now allowed due to the modified policies.</li>
<li><strong>Lateral Movement/Data Exfiltration:</strong> The attacker moves laterally within the network, accessing sensitive data or systems, and exfiltrates data to an external location.</li>
<li><strong>Impact:</strong> The attacker achieves their final objective, which may include data theft, system compromise, or disruption of services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful tampering with AppArmor policies can have severe consequences. Attackers can bypass security controls, install malicious software, and gain unauthorized access to sensitive data. This can lead to data breaches, financial losses, and reputational damage. The impact is amplified if the compromised system is critical to business operations or contains valuable data. The referenced Qualys advisory &quot;CrackArmor&quot; highlights critical AppArmor flaws enabling local privilege escalation to root, further emphasizing the potential damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided EQL rule to your SIEM to detect access to AppArmor policy interfaces and tune it for your specific environment.</li>
<li>Enable the <code>auditd_manager</code> integration and configure the recommended audit rules to monitor access to the AppArmor policy files: <code>-w /sys/kernel/security/apparmor/.load -p rw -k apparmor_policy_change</code>, <code>-w /sys/kernel/security/apparmor/.replace -p rw -k apparmor_policy_change</code>, <code>-w /sys/kernel/security/apparmor/.remove -p rw -k apparmor_policy_change</code>.</li>
<li>Regularly review AppArmor policies for unauthorized modifications and ensure that critical services are running with the expected policies.</li>
<li>Implement strict access controls to limit who can administer AppArmor policies.</li>
<li>Monitor for privilege escalation attempts and unauthorized use of <code>sudo</code>.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>apparmor</category><category>defense-evasion</category><category>linux</category></item><item><title>AppArmor Profile Compilation via apparmor_parser</title><link>https://feed.craftedsignal.io/briefs/2024-01-apparmor-profile-compilation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-apparmor-profile-compilation/</guid><description>Adversaries may abuse `apparmor_parser` to compile custom AppArmor profiles, potentially weakening security controls and facilitating privilege escalation on Linux systems.</description><content:encoded><![CDATA[<p>The <code>apparmor_parser</code> tool is used to compile AppArmor profiles on Linux systems. While typically used by system administrators and package installation scripts, adversaries can abuse this tool to compile malicious AppArmor profiles. These profiles can then be loaded into the kernel, potentially weakening security controls, altering the behavior of privileged programs, or assisting in exploitation chains. Detecting the use of <code>apparmor_parser</code> with output redirection flags such as <code>-o</code> is crucial for identifying potential attempts to manipulate AppArmor policies for malicious purposes. This activity is a component of defense evasion, enabling attackers to potentially disable security tools.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Linux system, often through methods outside the scope of this specific detection (e.g., exploiting a vulnerability, compromised credentials).</li>
<li>The attacker escalates privileges to root, which is typically required to modify or load AppArmor profiles.</li>
<li>The attacker creates a malicious AppArmor profile. This profile might weaken restrictions on specific processes or grant excessive permissions.</li>
<li>The attacker executes <code>apparmor_parser</code> with the <code>-o</code> option (or similar variants) to compile the malicious AppArmor profile to a file.</li>
<li>The attacker loads the compiled profile into the AppArmor kernel module using tools like <code>apparmor_status</code> or other policy management interfaces, replacing an existing policy or adding a new one.</li>
<li>The attacker restarts the service targeted by the malicious AppArmor profile, or triggers a reload of AppArmor policies, to activate the new profile.</li>
<li>The attacker leverages the weakened security controls to execute malicious code, escalate privileges further, or maintain persistence.</li>
<li>The attacker achieves their final objective, such as data exfiltration, system compromise, or denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack using a maliciously compiled AppArmor profile can lead to significant compromise of a Linux system. Weakening AppArmor policies can allow attackers to bypass security restrictions, escalate privileges, and execute arbitrary code with elevated permissions. This can result in data breaches, system instability, or complete system takeover. The impact is amplified if critical services like <code>sshd</code>, <code>sudo</code>, or container runtimes are targeted.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement the Sigma rule <code>AppArmor Profile Compilation via apparmor_parser</code> to detect the execution of <code>apparmor_parser</code> with output options.</li>
<li>Enable process monitoring and audit logging on Linux systems to capture command-line arguments for process executions.</li>
<li>Monitor for modifications to AppArmor policy directories (e.g., <code>/etc/apparmor.d/</code>) and policy loading events.</li>
<li>Implement strict access controls on AppArmor policy files and restrict who can load or modify policies.</li>
<li>Investigate any unexpected executions of <code>apparmor_parser</code> or modifications to AppArmor policies, especially when originating from unknown or untrusted sources.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>apparmor</category><category>defense-evasion</category><category>linux</category></item></channel></rss>