AppArmor Profiles

Overview

Evidence: AppArmor Profiles Description: Collect AppArmor profiles Category: System Platform: linux Short Name: aarmpr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers AppArmor profiles information from the Linux system. This data is essential for understanding application confinement policies and detecting policy changes.

Data Collected

This collector gathers structured data about apparmor profiles.

Collection Method

This collector reads AppArmor policy data from the kernel security filesystem and records it into the app_armor_profiles table.

Forensic Value

This evidence is crucial for forensic investigations as it shows enforced or complain modes and loaded profiles, helping detect weakened application confinement or policy tampering.