ADD(1.7.x): add apparmor checks

bin/hardening/1.7.1.1_install_apparmor.sh

@@ -17,14 +17,31 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Install AppArmor."
 
+PACKAGES='apparmor apparmor-utils'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PACKAGE is installed"
+        else
+            crit "$PACKAGE is absent, installing it"
+            apt_install "$PACKAGE"
+        fi
+    done
 }
 
 # This function will check config parameters required

bin/hardening/1.7.1.2_enable_apparmor.sh

@@ -17,16 +17,18 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Activate AppArmor to enforce permissions control."
 
-PACKAGE='apparmor'
+PACKAGES='apparmor apparmor-utils'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    is_pkg_installed "$PACKAGE"
+    for PACKAGE in $PACKAGES; do
-    if [ "$FNRET" != 0 ]; then
+        is_pkg_installed "$PACKAGE"
-        crit "$PACKAGE is absent!"
+        if [ "$FNRET" != 0 ]; then
-    else
+            crit "$PACKAGE is absent!"
-        ok "$PACKAGE is installed"
+        else
-    fi
+            ok "$PACKAGE is installed"
+        fi
+    done
 
     ERROR=0
     RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@@ -43,19 +45,22 @@ audit() {
     done
     IFS=$d_IFS
     if [ "$ERROR" = 0 ]; then
-        ok "$PACKAGE is configured"
+        ok "$PACKAGES are configured"
 
     fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    is_pkg_installed "$PACKAGE"
+    for PACKAGE in $PACKAGES; do
-    if [ "$FNRET" != 0 ]; then
+        is_pkg_installed "$PACKAGE"
-        crit "$PACKAGE is not installed, please install $PACKAGE and configure it"
+        if [ "$FNRET" = 0 ]; then
-    else
+            ok "$PACKAGE is installed"
-        ok "$PACKAGE is installed"
+        else
-    fi
+            crit "$PACKAGE is absent, installing it"
+            apt_install "$PACKAGE"
+        fi
+    done
 
     ERROR=0
     RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
@@ -76,7 +81,7 @@ apply() {
         $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub
         $SUDO_CMD update-grub
     else
-        ok "$PACKAGE is configured"
+        ok "$PACKAGES are configured"
     fi
 }
 

bin/hardening/1.7.1.3_enforce_or_complain_apparmor.sh

@@ -17,14 +17,48 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enforce or complain AppArmor profiles."
 
+PACKAGES='apparmor apparmor-utils'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+
+    else
+        crit "Some processes are unconfined while they have defined profile"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGES is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        warn "Some processes are unconfined while they have defined profile, setting profiles to complain mode"
+        aa-complain /etc/apparmor.d/*
+    fi
 }
 
 # This function will check config parameters required

bin/hardening/1.7.1.4_enforcing_apparmor.sh

@@ -17,14 +17,62 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enforce Apparmor profiles."
 
+PACKAGES='apparmor apparmor-utils'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$($SUDO_CMD apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+    RESULT_COMPLAIN=$($SUDO_CMD apparmor_status | grep "^0 profiles are in complain mode.")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        crit "Some processes are unconfined while they have defined profile"
+    fi
+
+    if [ -n "$RESULT_COMPLAIN" ]; then
+        ok "No profiles are in complain mode"
+    else
+        crit "Some processes are in complain mode"
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    for PACKAGE in $PACKAGES; do
+        is_pkg_installed "$PACKAGE"
+        if [ "$FNRET" != 0 ]; then
+            crit "$PACKAGE is absent!"
+        else
+            ok "$PACKAGE is installed"
+        fi
+    done
+
+    RESULT_UNCONFINED=$(apparmor_status | grep "^0 processes are unconfined but have a profile defined")
+    RESULT_COMPLAIN=$(apparmor_status | grep "^0 profiles are in complain mode.")
+
+    if [ -n "$RESULT_UNCONFINED" ]; then
+        ok "No profiles are unconfined"
+    else
+        warn "Some processes are unconfined while they have defined profile, setting profiles to enforce mode"
+        aa-enforce /etc/apparmor.d/*
+    fi
+
+    if [ -n "$RESULT_COMPLAIN" ]; then
+        ok "No profiles are in complain mode"
+    else
+        warn "Some processes are in complain mode, setting profiles to enforce mode"
+        aa-enforce /etc/apparmor.d/*
+    fi
 }
 
 # This function will check config parameters required

cisharden.sudoers

@@ -19,6 +19,7 @@ Cmnd_Alias SCL_CMD =    /bin/grep ,\
                         /sbin/sysctl kernel.*,\
                         /sbin/sysctl -a,\
                         /bin/dmesg "",\
-                        /bin/netstat
+                        /bin/netstat,\
+                        /usr/sbin/apparmor_status
 
 cisharden ALL = (root) NOPASSWD: SCL_CMD

tests/hardening/1.7.1.1_install_apparmor.sh

@@ -1,11 +1,22 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
-    describe Running on blank host
+    if [ -f "/.dockerenv" ]; then
-    register_test retvalshouldbe 0
+        skip "SKIPPED on docker"
-    dismiss_count_for_test
+    else
-    # shellcheck disable=2154
+        describe Running on blank host
-    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+        describe correcting situation
+        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "is installed"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
 }

tests/hardening/1.7.1.2_enable_apparmor.sh

@@ -16,7 +16,7 @@ test_audit() {
 
         describe Checking resolved state
         register_test retvalshouldbe 0
-        register_test contain "is configured"
+        register_test contain "are configured"
         run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
     fi
 }

tests/hardening/1.7.1.3_enforce_or_complain_apparmor.sh

@@ -1,11 +1,22 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
-    describe Running on blank host
+    if [ -f "/.dockerenv" ]; then
-    register_test retvalshouldbe 0
+        skip "SKIPPED on docker"
-    dismiss_count_for_test
+    else
-    # shellcheck disable=2154
+        describe Running on blank host
-    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+        describe correcting situation
+        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "No profiles are unconfined"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
 }

tests/hardening/1.7.1.4_enforcing_apparmor.sh

@@ -1,11 +1,22 @@
 # shellcheck shell=bash
 # run-shellcheck
 test_audit() {
-    describe Running on blank host
+    if [ -f "/.dockerenv" ]; then
-    register_test retvalshouldbe 0
+        skip "SKIPPED on docker"
-    dismiss_count_for_test
+    else
-    # shellcheck disable=2154
+        describe Running on blank host
-    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+        describe correcting situation
+        sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+        /opt/debian-cis/bin/hardening/"${script}".sh --apply || true
+
+        describe Checking resolved state
+        register_test retvalshouldbe 0
+        register_test contain "No profiles are unconfined"
+        run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+    fi
 }