For MKE's deployed on an Ubuntu host operating system, the AppArmor profile must be enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260920	CNTR-MK-000520	SV-260920r966117_rule		Medium

Description
AppArmor protects the Ubuntu OS and applications from various threats by enforcing security policy which is also known as AppArmor profile. The user can either create their own AppArmor profile for containers or use the Docker default AppArmor profile. This would enforce security policies on the containers as defined in the profile. By default, docker-default AppArmor profile is applied for running containers and this profile can be found at /etc/apparmor.d/docker.

Description

AppArmor protects the Ubuntu OS and applications from various threats by enforcing security policy which is also known as AppArmor profile. The user can either create their own AppArmor profile for containers or use the Docker default AppArmor profile. This would enforce security policies on the containers as defined in the profile. By default, docker-default AppArmor profile is applied for running containers and this profile can be found at /etc/apparmor.d/docker.

STIG	Date
Mirantis Kubernetes Engine Security Technical Implementation Guide	2024-04-10

Details

Check Text ( C-64649r966115_chk )
If MKE is not being used on an Ubuntu host operating system, this is Not Applicable. If AppArmor is not in use, this is Not Applicable. This check must be executed on all nodes in a cluster. Via CLI: Linux: Execute the following command as a trusted user on the host operating system: docker ps -a -q \| xargs -I {} docker inspect {} --format '{{ .Name }}: AppArmorProfile={{ .AppArmorProfile }}, Privileged={{ .HostConfig.Privileged }}' \| grep 'AppArmorProfile=unconfined' \| grep 'Privileged=false' If any output, this is a finding.

Check Text ( C-64649r966115_chk )

If MKE is not being used on an Ubuntu host operating system, this is Not Applicable.

If AppArmor is not in use, this is Not Applicable.

This check must be executed on all nodes in a cluster.

Via CLI:
Linux: Execute the following command as a trusted user on the host operating system:

docker ps -a -q | xargs -I {} docker inspect {} --format '{{ .Name }}: AppArmorProfile={{ .AppArmorProfile }}, Privileged={{ .HostConfig.Privileged }}' | grep 'AppArmorProfile=unconfined' | grep 'Privileged=false'

If any output, this is a finding.

Fix Text (F-64557r966116_fix)
If not using MKE on Ubuntu host operating system, this is Not Applicable. If AppArmor is not in use, this is Not Applicable. This check must be executed on all nodes in a cluster. Run on all nonprivileged containers using an AppArmor profile: Via CLI: Linux: Install AppArmor (if not already installed). Create/import an AppArmor profile (if not using the "docker-default" profile). Put the profile in "enforcing" model. Execute the following command as a trusted user on the host operating system to run the container using the customized AppArmor profile: docker run [options] --security-opt="apparmor:[PROFILENAME]" [image] [command] When using the "docker-default" default profile, run the container using the following command instead: docker run [options] --security-opt apparmor=docker-default [image] [command]

Fix Text (F-64557r966116_fix)

If not using MKE on Ubuntu host operating system, this is Not Applicable.
If AppArmor is not in use, this is Not Applicable.

This check must be executed on all nodes in a cluster.

Run on all nonprivileged containers using an AppArmor profile:

Via CLI:
Linux: Install AppArmor (if not already installed).

Create/import an AppArmor profile (if not using the "docker-default" profile). Put the profile in "enforcing" model. Execute the following command as a trusted user on the host operating system to run the container using the customized AppArmor profile:

docker run [options] --security-opt="apparmor:[PROFILENAME]" [image] [command]

When using the "docker-default" default profile, run the container using the following command instead:

docker run [options] --security-opt apparmor=docker-default [image] [command]