Evidence: AppArmor Profiles
Description: Collect AppArmor profiles
Category: System
Platform: linux
Short Name: aarmpr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
This collector gathers AppArmor profiles information from the Linux system. This data is essential for understanding application confinement policies and detecting policy changes.
Data Collected
This collector gathers structured data about apparmor profiles.
Collection Method
This collector reads AppArmor policy data from the kernel security filesystem and records it into the app_armor_profiles table.
Forensic Value
This evidence is crucial for forensic investigations as it shows enforced or complain modes and loaded profiles, helping detect weakened application confinement or policy tampering.
