INC-2026-04-04: Prevention

Prevention

Deploy AppArmor on P16g — CR-2026-04-04 — Evan Rosado
Verify kernel boot parameters include lsm=landlock,lockdown,yama,integrity,apparmor,bpf — Evan Rosado
Load complain-mode profiles for all installed applications — Evan Rosado

Add MAC deployment as mandatory phase in workstation deployment runbook — Evan Rosado
Write custom AppArmor profiles for high-risk apps (node, browsers, Docker) — Evan Rosado
Deploy AppArmor on modestus-razer (same gap) — Evan Rosado
Create AppArmor profile for Claude Code / npm processes — Evan Rosado
Add MAC verification to Phase 11 hardening checklist — Evan Rosado

Gap discovered during routine setup, not during an actual breach
Systematic investigation of domus-digitalis setup failure led to broader security audit
Arch kernel already has AppArmor compiled in — remediation path is straightforward

Deployment runbook had no security hardening checklist beyond "hardening" bullet point
MAC was never part of the Razer setup either — this is inherited technical debt
No automated security posture verification exists for workstation deployments

Default Arch = no MAC — unlike Ubuntu (AppArmor) or Fedora (SELinux), Arch ships with MAC compiled in but not enabled. Every Arch workstation deployment MUST explicitly enable it.
Secrets on a workstation without MAC is indefensible — ~/.secrets/, ~/.gnupg/, ~/.age/ are high-value targets. Any compromised user-space process can read them without MAC.
Phase 11 needs teeth — "hardening" as a vague bullet point is not a checklist. Specific, verifiable security requirements must be enumerated.
Audit triggered by unrelated failure — the domus-digitalis .env issue surfaced this. Without that accidental discovery, the gap would persist indefinitely.