From 8da11075327d387c96724183e216dcd502f7a228 Mon Sep 17 00:00:00 2001 From: Thibault Ayanides Date: Wed, 23 Dec 2020 10:46:51 +0100 Subject: [PATCH] ADD(1.7.x): add apparmor checks --- bin/hardening/1.7.1.1_install_apparmor.sh | 21 +++++++- bin/hardening/1.7.1.2_enable_apparmor.sh | 35 +++++++------ .../1.7.1.3_enforce_or_complain_apparmor.sh | 38 +++++++++++++- bin/hardening/1.7.1.4_enforcing_apparmor.sh | 52 ++++++++++++++++++- cisharden.sudoers | 3 +- tests/hardening/1.7.1.1_install_apparmor.sh | 23 +++++--- tests/hardening/1.7.1.2_enable_apparmor.sh | 2 +- .../1.7.1.3_enforce_or_complain_apparmor.sh | 23 +++++--- tests/hardening/1.7.1.4_enforcing_apparmor.sh | 23 +++++--- 9 files changed, 179 insertions(+), 41 deletions(-) diff --git a/bin/hardening/1.7.1.1_install_apparmor.sh b/bin/hardening/1.7.1.1_install_apparmor.sh index b70e3a4..e32827c 100755 --- a/bin/hardening/1.7.1.1_install_apparmor.sh +++ b/bin/hardening/1.7.1.1_install_apparmor.sh @@ -17,14 +17,31 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Install AppArmor." +PACKAGES='apparmor apparmor-utils' + # This function will be called if the script status is on enabled / audit mode audit() { - : + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is absent!" + else + ok "$PACKAGE is installed" + fi + done } # This function will be called if the script status is on enabled mode apply() { - : + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install "$PACKAGE" + fi + done } # This function will check config parameters required diff --git a/bin/hardening/1.7.1.2_enable_apparmor.sh b/bin/hardening/1.7.1.2_enable_apparmor.sh index f3bf39b..3f00a20 100755 --- a/bin/hardening/1.7.1.2_enable_apparmor.sh +++ b/bin/hardening/1.7.1.2_enable_apparmor.sh @@ -17,16 +17,18 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Activate AppArmor to enforce permissions control." -PACKAGE='apparmor' +PACKAGES='apparmor apparmor-utils' # This function will be called if the script status is on enabled / audit mode audit() { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" != 0 ]; then - crit "$PACKAGE is absent!" - else - ok "$PACKAGE is installed" - fi + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is absent!" + else + ok "$PACKAGE is installed" + fi + done ERROR=0 RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) @@ -43,19 +45,22 @@ audit() { done IFS=$d_IFS if [ "$ERROR" = 0 ]; then - ok "$PACKAGE is configured" + ok "$PACKAGES are configured" fi } # This function will be called if the script status is on enabled mode apply() { - is_pkg_installed "$PACKAGE" - if [ "$FNRET" != 0 ]; then - crit "$PACKAGE is not installed, please install $PACKAGE and configure it" - else - ok "$PACKAGE is installed" - fi + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install "$PACKAGE" + fi + done ERROR=0 RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) @@ -76,7 +81,7 @@ apply() { $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub $SUDO_CMD update-grub else - ok "$PACKAGE is configured" + ok "$PACKAGES are configured" fi } diff --git a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh index bfefa12..f02dd55 100755 --- a/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh +++ b/bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh @@ -17,14 +17,48 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Enforce or complain AppArmor profiles." +PACKAGES='apparmor apparmor-utils' + # This function will be called if the script status is on enabled / audit mode audit() { - : + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is absent!" + else + ok "$PACKAGE is installed" + fi + done + + RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") + + if [ -n "$RESULT_UNCONFINED" ]; then + ok "No profiles are unconfined" + + else + crit "Some processes are unconfined while they have defined profile" + fi } # This function will be called if the script status is on enabled mode apply() { - : + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGES is absent!" + else + ok "$PACKAGE is installed" + fi + done + + RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined") + + if [ -n "$RESULT_UNCONFINED" ]; then + ok "No profiles are unconfined" + else + warn "Some processes are unconfined while they have defined profile, setting profiles to complain mode" + aa-complain /etc/apparmor.d/* + fi } # This function will check config parameters required diff --git a/bin/hardening/1.7.1.4_enforcing_apparmor.sh b/bin/hardening/1.7.1.4_enforcing_apparmor.sh index 0b3fa40..49239b0 100755 --- a/bin/hardening/1.7.1.4_enforcing_apparmor.sh +++ b/bin/hardening/1.7.1.4_enforcing_apparmor.sh @@ -17,14 +17,62 @@ HARDENING_LEVEL=3 # shellcheck disable=2034 DESCRIPTION="Enforce Apparmor profiles." +PACKAGES='apparmor apparmor-utils' + # This function will be called if the script status is on enabled / audit mode audit() { - : + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is absent!" + else + ok "$PACKAGE is installed" + fi + done + + RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined") + RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.") + + if [ -n "$RESULT_UNCONFINED" ]; then + ok "No profiles are unconfined" + else + crit "Some processes are unconfined while they have defined profile" + fi + + if [ -n "$RESULT_COMPLAIN" ]; then + ok "No profiles are in complain mode" + else + crit "Some processes are in complain mode" + fi } # This function will be called if the script status is on enabled mode apply() { - : + for PACKAGE in $PACKAGES; do + is_pkg_installed "$PACKAGE" + if [ "$FNRET" != 0 ]; then + crit "$PACKAGE is absent!" + else + ok "$PACKAGE is installed" + fi + done + + RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined") + RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.") + + if [ -n "$RESULT_UNCONFINED" ]; then + ok "No profiles are unconfined" + else + warn "Some processes are unconfined while they have defined profile, setting profiles to enforce mode" + aa-enforce /etc/apparmor.d/* + fi + + if [ -n "$RESULT_COMPLAIN" ]; then + ok "No profiles are in complain mode" + else + warn "Some processes are in complain mode, setting profiles to enforce mode" + aa-enforce /etc/apparmor.d/* + fi } # This function will check config parameters required diff --git a/cisharden.sudoers b/cisharden.sudoers index 5b7bfe5..45991e8 100644 --- a/cisharden.sudoers +++ b/cisharden.sudoers @@ -19,6 +19,7 @@ Cmnd_Alias SCL_CMD = /bin/grep ,\ /sbin/sysctl kernel.*,\ /sbin/sysctl -a,\ /bin/dmesg "",\ - /bin/netstat + /bin/netstat,\ + /usr/sbin/apparmor_status cisharden ALL = (root) NOPASSWD: SCL_CMD diff --git a/tests/hardening/1.7.1.1_install_apparmor.sh b/tests/hardening/1.7.1.1_install_apparmor.sh index f85b20d..818f94a 100644 --- a/tests/hardening/1.7.1.1_install_apparmor.sh +++ b/tests/hardening/1.7.1.1_install_apparmor.sh @@ -1,11 +1,22 @@ # shellcheck shell=bash # run-shellcheck test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + if [ -f "/.dockerenv" ]; then + skip "SKIPPED on docker" + else + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "is installed" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + fi } diff --git a/tests/hardening/1.7.1.2_enable_apparmor.sh b/tests/hardening/1.7.1.2_enable_apparmor.sh index 01e92a7..2d3c584 100644 --- a/tests/hardening/1.7.1.2_enable_apparmor.sh +++ b/tests/hardening/1.7.1.2_enable_apparmor.sh @@ -16,7 +16,7 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "is configured" + register_test contain "are configured" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all fi } diff --git a/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh b/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh index f85b20d..6f9b730 100644 --- a/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh +++ b/tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh @@ -1,11 +1,22 @@ # shellcheck shell=bash # run-shellcheck test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + if [ -f "/.dockerenv" ]; then + skip "SKIPPED on docker" + else + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "No profiles are unconfined" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + fi } diff --git a/tests/hardening/1.7.1.4_enforcing_apparmor.sh b/tests/hardening/1.7.1.4_enforcing_apparmor.sh index f85b20d..6f9b730 100644 --- a/tests/hardening/1.7.1.4_enforcing_apparmor.sh +++ b/tests/hardening/1.7.1.4_enforcing_apparmor.sh @@ -1,11 +1,22 @@ # shellcheck shell=bash # run-shellcheck test_audit() { - describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test - # shellcheck disable=2154 - run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + if [ -f "/.dockerenv" ]; then + skip "SKIPPED on docker" + else + describe Running on blank host + register_test retvalshouldbe 0 + dismiss_count_for_test + # shellcheck disable=2154 + run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "No profiles are unconfined" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all + fi }