diff --git a/bin/hardening/1.6.2.1_enable_apparmor.sh b/bin/hardening/1.6.2.1_enable_apparmor.sh index 56b6d66..469ab25 100755 --- a/bin/hardening/1.6.2.1_enable_apparmor.sh +++ b/bin/hardening/1.6.2.1_enable_apparmor.sh @@ -5,7 +5,7 @@ # # -# 4.5 Activate AppArmor (Scored) +# 1.6.2.1 Activate AppArmor (Scored) # set -e # One error, it's over @@ -24,12 +24,19 @@ audit () { else ok "$PACKAGE is installed" fi + + ERROR=0 RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) for line in $RESULT; do if [[ ! $line =~ "apparmor=1" ]] || [[ ! $line =~ "security=apparmor" ]]; then crit "$line is not configured" + ERROR=1 fi done + if [ $ERROR = 0 ]; then + ok "$PACKAGE is configured" + + fi } # This function will be called if the script status is on enabled mode @@ -40,6 +47,7 @@ apply () { else ok "$PACKAGE is installed" fi + ERROR=0 RESULT=$($SUDO_CMD grep "^\s*linux" /boot/grub/grub.cfg) for line in $RESULT; do @@ -49,9 +57,11 @@ apply () { fi done if [ $ERROR = 1 ]; then - $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\/" + $SUDO_CMD sed -i "s/GRUB_CMDLINE_LINUX=\"/GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor/" /etc/default/grub + $SUDO_CMD update-grub + else + ok "$PACKAGE is configured" fi - $SUDO_CMD update-grub } # This function will check config parameters required diff --git a/tests/hardening/1.6.2.1_enable_apparmor.sh b/tests/hardening/1.6.2.1_enable_apparmor.sh index b0ebe2a..5fb1267 100644 --- a/tests/hardening/1.6.2.1_enable_apparmor.sh +++ b/tests/hardening/1.6.2.1_enable_apparmor.sh @@ -9,6 +9,13 @@ test_audit() { # shellcheck disable=2154 run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all - # TODO fill comprehensive tests + describe correcting situation + sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg + /opt/debian-cis/bin/hardening/"${script}".sh --apply || true + + describe Checking resolved state + register_test retvalshouldbe 0 + register_test contain "is configured" + run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all fi }