From ce1e87b1a31bcc46a92cbfe436ce05a47293ff65 Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Fri, 6 Nov 2020 11:09:22 +0100
Subject: [PATCH] IMP(4.5): rename to 1.6.1.2 improve test

---
 ...apparmor.sh => 1.6.2.1_enable_apparmor.sh} | 20 +++++++++++++++++--
 tests/hardening/1.6.2.1_enable_apparmor.sh    | 14 +++++++++++++
 tests/hardening/4.5_enable_apparmor.sh        | 10 ----------
 3 files changed, 32 insertions(+), 12 deletions(-)
 rename bin/hardening/{4.5_enable_apparmor.sh => 1.6.2.1_enable_apparmor.sh} (69%)
 create mode 100644 tests/hardening/1.6.2.1_enable_apparmor.sh
 delete mode 100644 tests/hardening/4.5_enable_apparmor.sh

diff --git a/bin/hardening/4.5_enable_apparmor.sh b/bin/hardening/1.6.2.1_enable_apparmor.sh
similarity index 69%
rename from bin/hardening/4.5_enable_apparmor.sh
rename to bin/hardening/1.6.2.1_enable_apparmor.sh
index 948649a..56b6d66 100755
--- a/bin/hardening/4.5_enable_apparmor.sh
+++ b/bin/hardening/1.6.2.1_enable_apparmor.sh
@@ -24,7 +24,12 @@ audit () {
     else
         ok "$PACKAGE is installed"
     fi
-    :
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+        fi
+    done
 }
 
 # This function will be called if the script status is on enabled mode
@@ -35,7 +40,18 @@ apply () {
     else
         ok "$PACKAGE is installed"
     fi
-    :
+    ERROR=0
+    RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg)
+    for line in $RESULT; do
+        if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then
+            crit "$line is not configured"
+            ERROR=1
+        fi
+    done
+    if [ $ERROR = 1 ]; then
+        $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\/"
+    fi
+    $SUDO_CMD update-grub
 }
 
 # This function will check config parameters required
diff --git a/tests/hardening/1.6.2.1_enable_apparmor.sh b/tests/hardening/1.6.2.1_enable_apparmor.sh
new file mode 100644
index 0000000..b0ebe2a
--- /dev/null
+++ b/tests/hardening/1.6.2.1_enable_apparmor.sh
@@ -0,0 +1,14 @@
+# run-shellcheck
+test_audit() {
+    if [ -f "/.dockerenv" ]; then
+        skip "SKIPPED on docker"
+    else
+        describe Running on blank host
+        register_test retvalshouldbe 0
+        dismiss_count_for_test
+        # shellcheck disable=2154
+        run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
+        # TODO fill comprehensive tests
+    fi
+}
diff --git a/tests/hardening/4.5_enable_apparmor.sh b/tests/hardening/4.5_enable_apparmor.sh
deleted file mode 100644
index b333419..0000000
--- a/tests/hardening/4.5_enable_apparmor.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-# run-shellcheck
-test_audit() {
-    describe Running on blank host
-    register_test retvalshouldbe 0
-    dismiss_count_for_test
-    # shellcheck disable=2154
-    run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
-
-    # TODO fill comprehensive tests
-}