From 944c81615b57651fef4fb56b837d538c9afaf7aa Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 14 Nov 2023 09:43:37 +0200
Subject: [PATCH] Add OVAL check for apparmor profile rules

---
 .../oval/shared.xml                           | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/oval/shared.xml

diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/oval/shared.xml b/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/oval/shared.xml
new file mode 100644
index 000000000000..f5db608032ac
--- /dev/null
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/oval/shared.xml
@@ -0,0 +1,31 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Ensure AppArmor profiles are in enforce complain mode") }}}
+    <criteria operator="AND">
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_object id="obj_apparmor_profiles" version="1">
+    <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
+    <ind:pattern operation="pattern match" datatype="string">^.*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="obj_apparmor_enforced_profiles" version="1">
+    <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
+    <ind:pattern operation="pattern match" datatype="string">^\(enforce\)*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="obj_apparmor_complaining_profiles" version="1">
+    <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
+    <ind:pattern operation="pattern match" datatype="string">^\(complain\)*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <local_variable datatype="int" id="var_num_apparmor_profiles" version="1" comment="apparmor profiles">
+    <object_component item_field="subexpression" object_ref="obj_apparmor_profiles" />
+  </local_variable>
+  <local_variable datatype="int" id="var_num_apparmor_enforced_profiles" version="1" comment="enforce apparmor profiles">
+    <object_component item_field="subexpression" object_ref="obj_apparmor_enforced_profiles" />
+  </local_variable>
+  <local_variable datatype="int" id="var_num_apparmor_complaining_profiles" version="1" comment="enforce apparmor profiles">
+    <object_component item_field="subexpression" object_ref="obj_apparmor_complaining_profiles" />
+  </local_variable>
+</def-group>