Merge pull request #10064 from rumch-se/rule_all_apparmor_profiles_in…

…_enforce_complain_mode

New SLE 12/15 rule all_apparmor_profiles_in_enforce_complain_mode whi…

controls/cis_sle12.yml

@@ -427,7 +427,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: manual # rule is missing
+    status: automated
+    rules: 
+      - all_apparmor_profiles_in_enforce_complain_mode
+      - var_apparmor_mode=complain
 
   - id: 1.7.1.4
     title: Ensure all AppArmor Profiles are enforcing (Automated)

controls/cis_sle15.yml

@@ -426,7 +426,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: manual # rule is missing
+    status: automated
+    rules:
+      - all_apparmor_profiles_in_enforce_complain_mode
+      - var_apparmor_mode=complain
 
   - id: 1.7.1.4
     title: Ensure all AppArmor Profiles are enforcing (Automated)

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/ansible/shared.yml

@@ -0,0 +1,30 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_apparmor_mode") }}}
+
+- name: {{{ rule_title }}} - Ensure all AppArmor Profiles are reloaded
+  ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
+
+- name: {{{ rule_title }}} - Set all AppArmor profiles to enforce mode 
+  ansible.builtin.command: aa-enforce /etc/apparmor.d/*
+  when: var_apparmor_mode == 'enforce'
+
+- name: {{{ rule_title }}} - Set all AppArmor profiles to complain mode
+  ansible.builtin.command: aa-complain /etc/apparmor.d/*
+  when: var_apparmor_mode == 'complain'   
+
+- name: {{{ rule_title }}} - Collect unconfined processes 
+  ansible.builtin.command: aa-unconfined
+  register: unconfined_processes
+
+- name: {{{ rule_title }}} - Provide details about unconfined processes 
+  ansible.builtin.assert: 
+    that:
+       - unconfined_processes.stdout_lines | length > 0 
+    success_msg: "The process {{ item }} may need to have a profile created or activated for them and then be restarted."
+    fail_msg: ""
+  with_items: "{{ unconfined_processes.stdout_lines }}"

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/bash/shared.sh

@@ -0,0 +1,36 @@
+# platform = multi_platform_sle
+
+{{{ bash_instantiate_variables("var_apparmor_mode") }}}
+
+
+# Reload all AppArmor profiles 
+apparmor_parser -q -r /etc/apparmor.d/
+
+# Set the mode
+APPARMOR_MODE="$var_apparmor_mode"
+
+if [ "$APPARMOR_MODE" = "enforce" ]
+then
+  # Set all profiles to enforce mode
+  aa-enforce /etc/apparmor.d/*    
+fi
+
+if [ "$APPARMOR_MODE" = "complain" ]
+then
+  # Set all profiles to complain mode
+  aa-complain /etc/apparmor.d/*
+fi
+
+UNCONFINED=$(aa-unconfined)
+if [ ! -z "$UNCONFINED" ]
+then
+  echo -e "***WARNING***: There are some unconfined processes:"
+  echo -e "----------------------------" 
+  echo "The may need to have a profile created or activated for them and then be restarted."
+  for PROCESS in "${UNCONFINED[@]}"
+  do
+      echo "$PROCESS"  
+  done
+  echo -e "----------------------------"
+  echo "The may need to have a profile created or activated for them and then be restarted."
+fi

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/rule.yml

@@ -0,0 +1,33 @@
+documentation_complete: true
+
+prodtype: sle12,sle15
+
+title:  'All AppArmor Profiles are in enforce or complain mode'
+
+description: |-
+    AppArmor profiles define what resources applications are able to access.
+    To set all profiles to either <tt>enforce</tt> or <tt>complain</tt>  mode 
+    run the following command to set all profiles to <tt>enforce</tt> mode:
+    <pre>$ sudo aa-enforce /etc/apparmor.d/*</pre>
+    run the following command to set all profiles to <tt>complain</tt> mode:
+    <pre>$ sudo aa-complain /etc/apparmor.d/*</pre>
+    To list unconfined processes run the following command:
+    <pre>$ sudo aa-unconfined</pre>
+    Any unconfined processes may need to have a profile created or activated 
+    for them and then be restarted.
+
+rationale: |-
+    Security configuration requirements vary from site to site. Some sites may 
+    mandate a policy that is stricter than the default policy, which is perfectly 
+    acceptable. This recommendation is intended to ensure that any policies that 
+    exist on the system are activated. 
+
+severity: medium
+
+identifiers:
+    cce@sle12: CCE-92356-5
+    cce@sle15: CCE-92548-7
+
+references:
+    cis@sle12: 1.7.1.3
+    cis@sle15: 1.7.1.3

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/tests/correct_all_apparmor_profiles_in_complain.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+#Replace apparmor definitions
+apparmor_parser -q -r /etc/apparmor.d/
+#Set all profiles in complain mode
+aa-complain /etc/apparmor.d/*

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/tests/correct_all_apparmor_profiles_in_enforce.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+#Replace apparmor definitions
+apparmor_parser -q -r /etc/apparmor.d/
+#Set all profiles in enforce mode
+aa-enforce /etc/apparmor.d/*

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/tests/incorrect_all_apparmor_profiles.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+#Configure the OS to unload all AppArmor profiles
+aa-teardown

linux_os/guide/system/apparmor/var_apparmor_mode.var

@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'AppArmor profiles mode'
+
+description: |-
+    enforce - Set all AppArmor profiles to enforce mode<br />
+    complain - Set all AppArmor profiles to complain mode
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+    default: enforce
+    complain: complain
+    enforce: enforce

shared/references/cce-sle12-avail.txt

@@ -23,7 +23,6 @@ CCE-92351-6
 CCE-92353-2
 CCE-92354-0
 CCE-92355-7
-CCE-92356-5
 CCE-92357-3
 CCE-92358-1
 CCE-92359-9

shared/references/cce-sle15-avail.txt

@@ -53,7 +53,6 @@ CCE-92544-6
 CCE-92545-3
 CCE-92546-1
 CCE-92547-9
-CCE-92548-7
 CCE-92549-5
 CCE-92550-3
 CCE-92551-1