diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh
index 67a97f3b3cc..90ca089b638 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
{{{ bash_fix_audit_watch_rule("auditctl", "/etc/selinux/", "wa", "MAC-policy") }}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/ubuntu.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/ubuntu.sh
new file mode 100644
index 00000000000..27baa62732e
--- /dev/null
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/ubuntu.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_ubuntu
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/apparmor/", "wa", "MAC-policy") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/apparmor/", "wa", "MAC-policy") }}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/apparmor.d/", "wa", "MAC-policy") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/apparmor.d/", "wa", "MAC-policy") }}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/ubuntu.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/ubuntu.xml
new file mode 100644
index 00000000000..b0fff80bc4d
--- /dev/null
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/ubuntu.xml
@@ -0,0 +1,62 @@
+
+
+ {{{ oval_metadata("Audit rules that detect changes to the system's mandatory access controls (Apparmor) are enabled.") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^/etc/audit/rules\.d/.*\.rules$
+ ^\-w[\s]+/etc/apparmor/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
+ 1
+
+
+
+
+
+
+ /etc/audit/audit.rules
+ ^\-w[\s]+/etc/apparmor/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
+ 1
+
+
+
+
+
+
+
+ ^/etc/audit/rules\.d/.*\.rules$
+ ^\-w[\s]+/etc/apparmor\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
+ 1
+
+
+
+
+
+
+
+ /etc/audit/audit.rules
+ ^\-w[\s]+/etc/apparmor\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$
+ 1
+
+
+
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
index 0fd1441c3cb..263fef8a8ac 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
@@ -7,14 +7,24 @@ description: |-
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
+ {{% if 'ubuntu' in product %}}
+ -w /etc/apparmor/ -p wa -k MAC-policy
+ -w /etc/apparmor.d/ -p wa -k MAC-policy
+ {{% else %}}
-w /etc/selinux/ -p wa -k MAC-policy
+ {{% endif %}}
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
+ {{% if 'ubuntu' in product %}}
+ -w /etc/apparmor/ -p wa -k MAC-policy
+ -w /etc/apparmor.d/ -p wa -k MAC-policy
+ {{% else %}}
-w /etc/selinux/ -p wa -k MAC-policy
+ {{% endif %}}
rationale: |-
- The system's mandatory access policy (SELinux) should not be
+ The system's mandatory access policy (SELinux or Apparmor) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited.
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh
index 16f737f85d1..ce766d772b0 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh
@@ -4,4 +4,9 @@
# use auditctl
{{{ setup_auditctl_environment() }}}
+{{% if 'ubuntu' in product %}}
+echo "-w /etc/apparmor/ -p wa -k MAC-policy" > /etc/audit/audit.rules
+echo "-w /etc/apparmor.d/ -p wa -k MAC-policy" >> /etc/audit/audit.rules
+{{% else %}}
echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/audit.rules
+{{% endif %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct_without_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct_without_key.pass.sh
index 8de58fdcf6f..836df3c1a1d 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct_without_key.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct_without_key.pass.sh
@@ -4,4 +4,9 @@
# use auditctl
{{{ setup_auditctl_environment() }}}
+{{% if 'ubuntu' in product %}}
+echo "-w /etc/apparmor/ -p wa" > /etc/audit/audit.rules
+echo "-w /etc/apparmor.d/ -p wa" >> /etc/audit/audit.rules
+{{% else %}}
echo "-w /etc/selinux/ -p wa" > /etc/audit/audit.rules
+{{% endif %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh
index 85df1015da1..70d8e4e5ffe 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh
@@ -1,4 +1,10 @@
#!/bin/bash
# packages = audit
+{{% if 'ubuntu' in product %}}
+echo "-w /etc/apparmor/ -p wa -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules
+echo "-w /etc/apparmor.d/ -p wa -k MAC-policy" >> /etc/audit/rules.d/MAC-policy.rules
+{{% else %}}
echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules
+{{% endif %}}
+
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct_without_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct_without_key.pass.sh
index 7fac367869e..b0f4a7a2b36 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct_without_key.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct_without_key.pass.sh
@@ -1,4 +1,9 @@
#!/bin/bash
# packages = audit
+{{% if 'ubuntu' in product %}}
+echo "-w /etc/apparmor/ -p wa" > /etc/audit/rules.d/MAC-policy.rules
+echo "-w /etc/apparmor.d/ -p wa" >> /etc/audit/rules.d/MAC-policy.rules
+{{% else %}}
echo "-w /etc/selinux/ -p wa" > /etc/audit/rules.d/MAC-policy.rules
+{{% endif %}}