All AppArmor Profiles are in enforce or complain mode

An XCCDF Rule

Description

AppArmor profiles define what resources applications are able to access. To set all profiles to either enforce or complain mode run the following command to set all profiles to enforce mode:

$ sudo aa-enforce /etc/apparmor.d/*

run the following command to set all profiles to complain mode:

$ sudo aa-complain /etc/apparmor.d/*

To list unconfined processes run the following command:

$ sudo aa-unconfined

Any unconfined processes may need to have a profile created or activated for them and then be restarted.

Rationale

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.

ID: xccdf_org.ssgproject.content_rule_all_apparmor_profiles_in_enforce_complain_mode
Severity: Medium
References: 1.7.1.3

CCE-92356-5
Updated: over 1 year ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-92356-5
  - all_apparmor_profiles_in_enforce_complain_mode  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_apparmor_mode # promote to variable
  set_fact:
    var_apparmor_mode: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_apparmor_mode" use="legacy"/>
  tags:
    - always
- name: All AppArmor Profiles are in enforce or complain mode - Ensure all AppArmor
    Profiles are reloaded
  ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"apparmor-profiles" in ansible_facts.packages'
  tags:
  - CCE-92356-5
  - all_apparmor_profiles_in_enforce_complain_mode
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: All AppArmor Profiles are in enforce or complain mode - Set all AppArmor profiles
    to enforce mode
  ansible.builtin.command: aa-enforce /etc/apparmor.d/*
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"apparmor-profiles" in ansible_facts.packages'
  - var_apparmor_mode == 'enforce'
  tags:
  - CCE-92356-5
  - all_apparmor_profiles_in_enforce_complain_mode
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: All AppArmor Profiles are in enforce or complain mode - Set all AppArmor profiles
    to complain mode
  ansible.builtin.command: aa-complain /etc/apparmor.d/*
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"apparmor-profiles" in ansible_facts.packages'
  - var_apparmor_mode == 'complain'
  tags:
  - CCE-92356-5
  - all_apparmor_profiles_in_enforce_complain_mode
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: All AppArmor Profiles are in enforce or complain mode - Collect unconfined
    processes
  ansible.builtin.command: aa-unconfined
  register: unconfined_processes
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"apparmor-profiles" in ansible_facts.packages'
  tags:
  - CCE-92356-5
  - all_apparmor_profiles_in_enforce_complain_mode
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: All AppArmor Profiles are in enforce or complain mode - Provide details about
    unconfined processes
  ansible.builtin.assert:
    that:
    - unconfined_processes.stdout_lines | length > 0
    success_msg: The process {{ item }} may need to have a profile created or activated
      for them and then be restarted.
    fail_msg: ''
  with_items: '{{ unconfined_processes.stdout_lines }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"apparmor-profiles" in ansible_facts.packages'
  - unconfined_processes is not skipped
  tags:
  - CCE-92356-5
  - all_apparmor_profiles_in_enforce_complain_mode
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q apparmor-profiles; }; then
var_apparmor_mode='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_apparmor_mode" use="legacy"/>'


# make sure apparmor-utils is installed for aa-complain and aa-enforcezypper install -y "apparmor-utils"

# Reload all AppArmor profiles
apparmor_parser -q -r /etc/apparmor.d/

# Set the mode
APPARMOR_MODE="$var_apparmor_mode"

if [ "$APPARMOR_MODE" = "enforce" ]
then
  # Set all profiles to enforce mode
  aa-enforce /etc/apparmor.d/*
fi

if [ "$APPARMOR_MODE" = "complain" ]
then
  # Set all profiles to complain mode
  aa-complain /etc/apparmor.d/*
fi


UNCONFINED=$(aa-unconfined)
if [ ! -z "$UNCONFINED" ]

then
  echo -e "***WARNING***: There are some unconfined processes:"
  echo -e "----------------------------"
  echo "The may need to have a profile created or activated for them and then be restarted."
  for PROCESS in "${UNCONFINED[@]}"
  do
      echo "$PROCESS"
  done
  echo -e "----------------------------"
  echo "The may need to have a profile created or activated for them and then be restarted."
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

All AppArmor Profiles are in enforce or complain mode

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script