Merge pull request #12482 from alanmcanonical/apparmor_load_all

Load all the profile if not loaded for Ubuntu
ComplianceAsCode · Nov 11, 2024 · 3322dc9 · 3322dc9
2 parents 70a105d + d7b3438
commit 3322dc9
Show file tree

Hide file tree

Showing 10 changed files with 42 additions and 13 deletions.
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/rule.yml b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/rule.yml
@@ -34,4 +34,4 @@ references:
     cis@ubuntu2004: 1.7.1.4
     cis@ubuntu2204: 1.6.1.4
 
-platform: package[apparmor]
+platform: machine and package[apparmor]
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh
@@ -5,7 +5,7 @@
 # If apparmor or apparmor-utils are not installed, then this test fails.
 {{{ bash_package_installed("apparmor") }}}
 if [ $? -ne 0 ]; then
-        exit ${XCCDF_RESULT_FAIL}
+    exit ${XCCDF_RESULT_FAIL}
 fi
 
 # if number of apparmor profiles loaded not the same as enforced profiles, then it fails.

diff --git a/.../apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh b/.../apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh
@@ -1,6 +1,13 @@
 #!/bin/bash
+# packages = apparmor-utils
 
 #Replace apparmor definitions
 apparmor_parser -q -r /etc/apparmor.d/
 #Set all profiles in enforce mode
 aa-enforce /etc/apparmor.d/*
+
+# rsyslogd apparmor profile is disabled in focal and jammy.
+# Reloading the profile results in an unconfined process
+# which fails the SCE, so we need to restart the process manually.
+systemctl restart rsyslog
+
diff --git a/.../system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles.fail.sh b/.../system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles.fail.sh
diff --git a/...pparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh b/...pparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh
@@ -1,4 +1,12 @@
 #!/bin/bash
+# packages = apparmor-utils
 
 #Replace apparmor definitions and force profiles into compliant mode
-apparmor_parser -C -q -r  /etc/apparmor.d/ 
+apparmor_parser -q -r  /etc/apparmor.d/ 
+#Set all profiles in complain mode
+aa-complain /etc/apparmor.d/*
+
+# rsyslogd apparmor profile is disabled in focal and jammy.
+# Reloading the profile results in an unconfined process
+# which fails the SCE, so we need to restart the process manually.
+systemctl restart rsyslog
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/bash/shared.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/bash/shared.sh
@@ -13,14 +13,25 @@ APPARMOR_MODE="$var_apparmor_mode"
 
 if [ "$APPARMOR_MODE" = "enforce" ]
 then
+  {{% if 'ubuntu' in product %}}
+  # Set all profiles to enforce mode except disabled profiles
+  find /etc/apparmor.d -maxdepth 1 ! -type d -exec bash -c '[[ -e "/etc/apparmor.d/disable/$(basename "$1")" ]] || aa-enforce "$1"' _ {} \;
+  {{% else %}}
   # Set all profiles to enforce mode
   aa-enforce /etc/apparmor.d/*
+  {{% endif %}}
 fi
 
 if [ "$APPARMOR_MODE" = "complain" ]
 then
+  {{% if 'ubuntu' in product %}}
+  # Load all not-loaded profiles into complain mode
+  apparmor_parser -a --Complain /etc/apparmor.d/
+  echo "***WARNING***: This remediation will not downgrade any existing AppArmor profiles."
+  {{% else %}}
   # Set all profiles to complain mode
   aa-complain /etc/apparmor.d/*
+  {{% endif %}}
 fi
 
 {{% if 'ubuntu' in product %}}

diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/rule.yml b/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/rule.yml
@@ -37,4 +37,4 @@ references:
     cis@ubuntu2004: 1.7.1.3
     cis@ubuntu2204: 1.6.1.3
 
-platform: package[apparmor]
+platform: machine and package[apparmor]
diff --git a/...profiles_in_enforce_complain_mode/tests/correct_all_apparmor_profiles_in_complain.pass.sh b/...profiles_in_enforce_complain_mode/tests/correct_all_apparmor_profiles_in_complain.pass.sh
@@ -3,5 +3,11 @@
 
 #Replace apparmor definitions
 apparmor_parser -q -r /etc/apparmor.d/
+{{% if 'ubuntu' in product %}}
+# Set all profiles to complain mode except disabled profiles
+find /etc/apparmor.d -maxdepth 1 ! -type d -exec bash -c '[[ -e "/etc/apparmor.d/disable/$(basename "{}")" ]] || aa-complain "{}"' \;
+{{% else %}}
 #Set all profiles in complain mode
 aa-complain /etc/apparmor.d/*
+{{% endif %}}
+
diff --git a/..._profiles_in_enforce_complain_mode/tests/correct_all_apparmor_profiles_in_enforce.pass.sh b/..._profiles_in_enforce_complain_mode/tests/correct_all_apparmor_profiles_in_enforce.pass.sh
@@ -3,5 +3,11 @@
 
 #Replace apparmor definitions
 apparmor_parser -q -r /etc/apparmor.d/
+{{% if 'ubuntu' in product %}}
+# Set all profiles to complain mode except disabled profiles
+find /etc/apparmor.d -maxdepth 1 ! -type d -exec bash -c '[[ -e "/etc/apparmor.d/disable/$(basename "{}")" ]] || aa-enforce "{}"' \;
+{{% else %}}
 #Set all profiles in enforce mode
 aa-enforce /etc/apparmor.d/*
+{{% endif %}}
+
diff --git a/..._apparmor_profiles_in_enforce_complain_mode/tests/incorrect_all_apparmor_profiles.fail.sh b/..._apparmor_profiles_in_enforce_complain_mode/tests/incorrect_all_apparmor_profiles.fail.sh