Step 2: Detection. Query asset inventory and configuration management tools for Linux hosts with AppArmor loaded in enforcement or complain mode. Review /var/log/audit/audit.log and /var/log/syslog for unexpected apparmor policy violations, DENIED entries involving privileged operations from unprivileged UIDs, or anomalous setuid/setgid activity. Note: Systems with active AppArmor policies may generate high volumes of audit.log entries. Filter on DENIED entries involving setuid/setgid, capability operations, or policy loads from non-root UIDs to reduce noise. Look for privilege escalation behavioral indicators: unexpected root-owned processes spawned from non-root parent PIDs, UID 0 processes with unusual parent-child relationships, or new entries in /etc/sudoers, /etc/passwd, or SSH authorized_keys modified by non-root accounts. No CVE-specific IOC patterns (hashes, IPs, domains) are available at this time; this is a local exploitation path with no network IOC footprint.
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST AU-2 (Event Logging)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST SI-4 (System Monitoring)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without a SIEM, parse /var/log/audit/audit.log directly using ausearch: 'ausearch -m AVC,USER_AVC -ts today | grep -E "uid=[^0].*exe=" | grep -i "apparmor"' to surface AppArmor-denied operations from non-root UIDs. For process anomaly detection, install Sysmon for Linux and write a rule targeting process creation where ParentUser != root and EffectiveUID == 0. Deploy this Sigma rule concept manually via auditd: 'auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -F auid!=0 -k priv_esc_apparmor'. Cross-check /etc/passwd and /etc/sudoers modification timestamps with 'find /etc -name passwd -o -name sudoers -o -name shadow -newer /var/log/dpkg.log -ls' to detect post-exploitation persistence writes.
Preserve Evidence
Collect full /var/log/audit/audit.log and rotate-preserved audit logs (audit.log.1, audit.log.2) covering the exposure window — CrackArmor's confused deputy exploitation path will generate AVC denial records or, if bypassed successfully, an absence of expected denial records for privileged syscalls from non-root UIDs. Extract auditd records for syscalls setuid, setgid, capset, and execve filtered on auid (audit UID) values corresponding to non-privileged accounts. Capture /proc/<pid>/status for any suspicious UID 0 processes to confirm real vs. effective UID mismatch artifacts. Check inode change times (ctime) on /etc/sudoers, /etc/passwd, and /root/.ssh/authorized_keys using 'stat' to identify unauthorized writes from non-root sessions.
