AppArmor Profiles
Overview
Section titled “Overview”Evidence: AppArmor Profiles
Description: Collect AppArmor profiles
Category: System
Platform: linux
Short Name: aarmpr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”This collector gathers AppArmor profiles information from the Linux system. This data is essential for understanding application confinement policies and detecting policy changes.
Data Collected
Section titled “Data Collected”This collector gathers structured data about apparmor profiles.
Collection Method
Section titled “Collection Method”This collector reads AppArmor policy data from the kernel security filesystem and records it into the app_armor_profiles table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it shows enforced or complain modes and loaded profiles, helping detect weakened application confinement or policy tampering.