Enforce all AppArmor Profiles

An XCCDF Rule

Description

AppArmor profiles define what resources applications are able to access. To set all profiles to enforce mode run the following command:

$ sudo aa-enforce /etc/apparmor.d/*

To list unconfined processes run the following command:

$ sudo aa-unconfined

Any unconfined processes may need to have a profile created or activated for them and then be restarted.

Rationale

Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This recommendation is intended to ensure that any policies that exist on the system are activated.

ID: xccdf_org.ssgproject.content_rule_all_apparmor_profiles_enforced
Severity: Medium
References: 1.7.1.4

CCE-92536-2
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# make sure apparmor-utils is installed for aa-complain and aa-enforce
zypper install -y "apparmor-utils"
# Ensure all AppArmor Profiles are enforcing
apparmor_parser -q -r /etc/apparmor.d/
aa-enforce /etc/apparmor.d/*


UNCONFINED=$(aa-unconfined)
if [ ! -z "$UNCONFINED" ]

then
  echo -e "***WARNING***: There are some unconfined processes:"
  echo -e "----------------------------"
  echo "The may need to have a profile created or activated for them and then be restarted."
  for PROCESS in "${UNCONFINED[@]}"
  do
      echo "$PROCESS"
  done
  echo -e "----------------------------"
  echo "The may need to have a profile created or activated for them and then be restarted."
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Enforce all AppArmor Profiles - Ensure all AppArmor Profiles are reloaded
  ansible.builtin.command: apparmor_parser -q -r /etc/apparmor.d/
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-92536-2
  - all_apparmor_profiles_enforced  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Enforce all AppArmor Profiles - Ensure all AppArmor Profiles are enforcing
  ansible.builtin.command: aa-enforce /etc/apparmor.d/*
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-92536-2
  - all_apparmor_profiles_enforced
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Enforce all AppArmor Profiles - Collect unconfined processes
  ansible.builtin.command: aa-unconfined
  register: unconfined_processes
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-92536-2
  - all_apparmor_profiles_enforced
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Enforce all AppArmor Profiles - Provide details about unconfined processes
  ansible.builtin.assert:
    that:
    - unconfined_processes.stdout_lines | length > 0
    success_msg: The process {{ item }} may need to have a profile created or activated
      for them and then be restarted.
    fail_msg: ''
  with_items: '{{ unconfined_processes.stdout_lines }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - unconfined_processes is not skipped
  tags:
  - CCE-92536-2
  - all_apparmor_profiles_enforced
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Enforce all AppArmor Profiles

Description

Rationale

Remediation - Shell Script

Remediation - Ansible