Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new rule ensure_apparmor_enforce_or_complain #9985

Closed
wants to merge 6 commits into from
Closed

Add new rule ensure_apparmor_enforce_or_complain #9985

wants to merge 6 commits into from

Conversation

dodys
Copy link
Contributor

@dodys dodys commented Dec 16, 2022
edited
Loading

Description:

  • This is a new rule to satisfy CIS items:
    • 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
    • 1.6.1.4 Ensure all AppArmor Profiles are enforcing
  • For that a new variable was created var_set_apparmor_mode, so we could re-use the same rule for both items.
  • @teacup-on-rockingchair I think this is also needed for SLE15.

Rationale:

  • Security configuration requirements vary from site to site. Some sites may mandate a
    policy that is stricter than the default policy, which is perfectly acceptable. This item is
    intended to ensure that any policies that exist on the system are activated.

Review Hints:

Run the following command and verify that profiles are loaded, and are in either enforce
or complain mode:
# apparmor_status | grep profiles

Review output and ensure that profiles are loaded, and in either enforce or complain mode:

37 profiles are loaded.
35 profiles are in enforce mode.
2 profiles are in complain mode.
4 processes have profiles defined.

Run the following command and verify no processes are unconfined
# apparmor_status | grep processes

Review the output and ensure no processes are unconfined:

4 processes have profiles defined.
4 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

ubuntu2004 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@dodys dodys force-pushed the apparmor_enforce branch from 96fb00b to d139432 Compare January 3, 2023 15:02
@dodys dodys requested a review from a team as a code owner January 3, 2023 15:02
@codeclimate
Copy link

codeclimate bot commented Jan 3, 2023

Code Climate has analyzed commit d139432 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 49.8% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 added Ubuntu Ubuntu product related. New Rule Issues or pull requests related to new Rules. labels Jan 5, 2023
@Mab879 Mab879 added this to the 0.1.66 milestone Jan 5, 2023
Mab879
Mab879 requested changes Jan 5, 2023
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. I a couple of questions on this PR.

linux_os/guide/system/apparmor/ensure_apparmor_enforce_or_complain/oval/shared.xml
@@ -0,0 +1,32 @@
<def-group>
<definition class="compliance" id="ensure_apparmor_enforce_or_complain" version="1">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to double-check that you wanted this rule to allow for both, even on level 2.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm good catch, for level 2 I want it to be in enforce and to fail if in complain mode.
is there a good way to do this without creating two different rules?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should be able to check if the state matches a variable like in selinux_state rule.

linux_os/guide/system/apparmor/ensure_apparmor_enforce_or_complain/oval/shared.xml
@@ -0,0 +1,32 @@
<def-group>
<definition class="compliance" id="ensure_apparmor_enforce_or_complain" version="1">
{{{ oval_metadata("Ensure all AppArmor Profiles are in var_set_apparmor_mode") }}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there is something wrong here. The final built content looks like
<oval-def:description>Ensure all AppArmor Profiles are in var_set_apparmor_mode</oval-def:description>.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch, I will fix it

@Mab879 Mab879 self-assigned this Jan 5, 2023
@dodys dodys mentioned this pull request Jan 13, 2023
Merged
@dodys
Copy link
Contributor Author

dodys commented Jan 17, 2023

I'm dropping this PR in favor of PRs #10064 and #10057 as the optimization I wanted to do with variables won't work and will require more work.

@dodys dodys closed this Jan 17, 2023
@dodys dodys deleted the apparmor_enforce branch April 17, 2023 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 requested changes

Assignees

@Mab879 Mab879

Labels
New Rule Issues or pull requests related to new Rules. Ubuntu Ubuntu product related.
Projects
None yet
Milestone
0.1.66
Development

Successfully merging this pull request may close these issues.
2 participants
@dodys @Mab879