harbian-audit/bin/hardening/4.5_enable_apparmor.sh

#!/bin/bash

#
# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening
# Modify by: Samson-W (samson@hardenedlinux.org)

#
# 4.5 Activate AppArmor (Scored)
# Add by Author : Samson wen, Samson <sccxboy@gmail.com>
#

set -e # One error, it's over
set -u # One variable unset, it's over

HARDENING_LEVEL=3

PACKAGES='apparmor apparmor-profiles apparmor-utils'
KEYWORD="GRUB_CMDLINE_LINUX"
PATTERN="apparmor=1[[:space:]]*security=apparmor" 
SETSTRING="apparmor=1 security=apparmor" 
GRUBFILE='/etc/default/grub'
SERVICENAME='apparmor.service'
SELINUXSETSTRING="security=selinux" 

audit_debian () {
	if [ $(grep -c "${SELINUXSETSTRING}" /proc/cmdline) -eq 1 ]; then
		ok "SELinux was actived. So pass."
		return 0
	fi
    for PACKAGE in ${PACKAGES}
    do
        is_pkg_installed $PACKAGE
        if [ $FNRET != 0 ]; then
            crit "$PACKAGE is absent!"
            FNRET=1
        fi
    done
    if [ $FNRET = 0 ]; then
        ok "$PACKAGE is installed"
		# Since Debian 10 (Buster), AppArmor is enabled by default. It's a system service 
		is_debian_ge_10
		if [ $FNRET = 0 ]; then
			is_service_active $SERVICENAME
			if [ $FNRET -eq 0 ]; then
                ok "$SERVICENAME is active!"
                FNRET=0
			else
            	crit "$SERVICENAME is inactive!"
            	FNRET=2
			fi
		else
			if [ $(grep -c "${SETSTRING}" /proc/cmdline) -eq 1 ]; then
				ok "There are ${SETSTRING} to ${KEYWORD} in ${GRUBFILE}"
            	is_mounted  "/sys/kernel/security"
            	if [ ${FNRET} -eq 0 -a $(/usr/sbin/aa-status 2>&1 | grep -c "apparmor filesystem is not mounted.") -eq 1 ]; then
                	crit "AppArmor profiles not enable in the system "
                	FNRET=3
            	elif [ ${FNRET} -eq 0 -a $(/usr/sbin/aa-status | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then 
                	ok "AppArmor profiles is enable in the system "
                	FNRET=0
            	fi
        	else
				crit "There are ${SETSTRING} to ${KEYWORD} not in ${GRUBFILE}"
            	FNRET=2
        	fi
		fi
    fi
}

audit_centos () {
	ok "AppArmor is only support for Debian, So pass!"
}

# This function will be called if the script status is on enabled / audit mode
audit () {
	if [ $OS_RELEASE -eq 1 ]; then
        audit_debian
    elif [ $OS_RELEASE -eq 2 ]; then
        audit_centos
    else
        crit "Current OS is not support!"
        FNRET=44
    fi
}

apply_debian () {
	if [ $(grep -c "${SELINUXSETSTRING}" /proc/cmdline) -eq 1 ]; then
		ok "SELinux was actived. So pass."
		return 0
	fi
    if [ $FNRET = 0 ]; then
        ok "AppArmor profiles is enable in the system "
    elif [ $FNRET = 1 ]; then
        warn "$PACKAGE is not installed, install $PACKAGES"
        for PACKAGE in ${PACKAGES}
        do
            apt_install $PACKAGE
        done
    elif [ $FNRET = 2 ]; then
		# Since Debian 10 (Buster), AppArmor is enabled by default. It's a system service 
		is_debian_ge_10
		if [ $FNRET = 0 ]; then
			warn "Start $SERVICENAME"
			systemctl start $SERVICENAME
		else
        	warn "Set ${SETSTRING} to ${GRUBFILE} in ${GRUBFILE}, need to reboot the system and enable AppArmor profiles after setting it."
        	sed -i "s;\(${KEYWORD}=\)\(\".*\)\(\"\);\1\2 ${SETSTRING}\3;" ${GRUBFILE}
        	/usr/sbin/update-grub2
		fi
    elif [ $FNRET = 3 ]; then
        warn "Enable AppArmor profiles in the system "
        /usr/sbin/aa-enforce /etc/apparmor.d/*
    fi
}

apply_centos () {
	ok "AppArmor is only support for Debian, So pass!"
}

# This function will be called if the script status is on enabled mode
apply () {
	if [ $OS_RELEASE -eq 1 ]; then
        apply_debian
    elif [ $OS_RELEASE -eq 2 ]; then
        apply_centos
    else
        crit "Current OS is not support!"
    fi
}

# This function will check config parameters required
check_config() {
    :
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`#!/bin/bash`

			`#`
Update comment for Description of which operating systems are implemented. 2020-02-27 17:56:28 +01:00			`# harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS Hardening`
Modified 4.5 to be compatible with CentOS. 2019-08-02 22:49:42 +02:00			`# Modify by: Samson-W (samson@hardenedlinux.org)`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00
			`#`
Rename 4.6_disable_usb_devices.sh to 4.7_disable_usb_devices.sh, and add audit and apply methods for 4.6 Enable selinux. 2020-06-01 22:05:48 +02:00			`# 4.5 Activate AppArmor (Scored)`
Implement audit and apply methods for 7.6 disable_wireless. 2019-04-12 10:07:44 +02:00			`# Add by Author : Samson wen, Samson <sccxboy@gmail.com>`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

			`HARDENING_LEVEL=3`

Fix activate AppArmor audit and apply methods 2018-11-13 21:48:39 +01:00			`PACKAGES='apparmor apparmor-profiles apparmor-utils'`
Fix bug for 4.5 2018-11-21 21:07:57 +01:00			`KEYWORD="GRUB_CMDLINE_LINUX"`
			`PATTERN="apparmor=1[[:space:]]*security=apparmor"`
			`SETSTRING="apparmor=1 security=apparmor"`
Fix activate AppArmor audit and apply methods 2018-11-13 21:48:39 +01:00			`GRUBFILE='/etc/default/grub'`
Fix issues #14 Check 4.5_enable_apparmor too narrow 2020-05-14 12:05:56 +02:00			`SERVICENAME='apparmor.service'`
Add a function to detect MAC that has been activated. 2020-06-03 20:52:06 +02:00			`SELINUXSETSTRING="security=selinux"`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00
Modified 4.5 to be compatible with CentOS. 2019-08-02 22:49:42 +02:00			`audit_debian () {`
Add a function to detect MAC that has been activated. 2020-06-03 20:52:06 +02:00			`if [ $(grep -c "${SELINUXSETSTRING}" /proc/cmdline) -eq 1 ]; then`
			`ok "SELinux was actived. So pass."`
			`return 0`
			`fi`
Fix activate AppArmor audit and apply methods 2018-11-13 21:48:39 +01:00			`for PACKAGE in ${PACKAGES}`
			`do`
			`is_pkg_installed $PACKAGE`
			`if [ $FNRET != 0 ]; then`
			`crit "$PACKAGE is absent!"`
			`FNRET=1`
			`fi`
			`done`
			`if [ $FNRET = 0 ]; then`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`ok "$PACKAGE is installed"`
Fix issues #14 Check 4.5_enable_apparmor too narrow 2020-05-14 12:05:56 +02:00			`# Since Debian 10 (Buster), AppArmor is enabled by default. It's a system service`
Add a method to determine the system version for compatibility. 2020-05-14 12:14:43 +02:00			`is_debian_ge_10`
Fix issues #14 Check 4.5_enable_apparmor too narrow 2020-05-14 12:05:56 +02:00			`if [ $FNRET = 0 ]; then`
			`is_service_active $SERVICENAME`
			`if [ $FNRET -eq 0 ]; then`
			`ok "$SERVICENAME is active!"`
Fix activate AppArmor audit and apply methods 2018-11-13 21:48:39 +01:00			`FNRET=0`
Fix issues #14 Check 4.5_enable_apparmor too narrow 2020-05-14 12:05:56 +02:00			`else`
			`crit "$SERVICENAME is inactive!"`
			`FNRET=2`
			`fi`
			`else`
			`if [ $(grep -c "${SETSTRING}" /proc/cmdline) -eq 1 ]; then`
			`ok "There are ${SETSTRING} to ${KEYWORD} in ${GRUBFILE}"`
			`is_mounted "/sys/kernel/security"`
			`if [ ${FNRET} -eq 0 -a $(/usr/sbin/aa-status 2>&1 \| grep -c "apparmor filesystem is not mounted.") -eq 1 ]; then`
			`crit "AppArmor profiles not enable in the system "`
			`FNRET=3`
			`elif [ ${FNRET} -eq 0 -a $(/usr/sbin/aa-status \| grep 'profiles are loaded' \| awk '{print $1}') -gt 0 ]; then`
			`ok "AppArmor profiles is enable in the system "`
			`FNRET=0`
			`fi`
			`else`
			`crit "There are ${SETSTRING} to ${KEYWORD} not in ${GRUBFILE}"`
			`FNRET=2`
			`fi`
			`fi`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`fi`
			`}`

Modify methods name: _redhat to _centos. 2020-03-05 20:57:46 +01:00			`audit_centos () {`
Fix spelling errors. 2020-06-02 10:17:39 +02:00			`ok "AppArmor is only support for Debian, So pass!"`
Modified 4.5 to be compatible with CentOS. 2019-08-02 22:49:42 +02:00			`}`

			`# This function will be called if the script status is on enabled / audit mode`
			`audit () {`
			`if [ $OS_RELEASE -eq 1 ]; then`
			`audit_debian`
			`elif [ $OS_RELEASE -eq 2 ]; then`
Modify methods name: _redhat to _centos. 2020-03-05 20:57:46 +01:00			`audit_centos`
Modified 4.5 to be compatible with CentOS. 2019-08-02 22:49:42 +02:00			`else`
			`crit "Current OS is not support!"`
			`FNRET=44`
			`fi`
			`}`

			`apply_debian () {`
Add a function to detect MAC that has been activated. 2020-06-03 20:52:06 +02:00			`if [ $(grep -c "${SELINUXSETSTRING}" /proc/cmdline) -eq 1 ]; then`
			`ok "SELinux was actived. So pass."`
			`return 0`
			`fi`
Fix activate AppArmor audit and apply methods 2018-11-13 21:48:39 +01:00			`if [ $FNRET = 0 ]; then`
			`ok "AppArmor profiles is enable in the system "`
			`elif [ $FNRET = 1 ]; then`
			`warn "$PACKAGE is not installed, install $PACKAGES"`
			`for PACKAGE in ${PACKAGES}`
			`do`
			`apt_install $PACKAGE`
			`done`
			`elif [ $FNRET = 2 ]; then`
Fix issues #14 Check 4.5_enable_apparmor too narrow 2020-05-14 12:05:56 +02:00			`# Since Debian 10 (Buster), AppArmor is enabled by default. It's a system service`
Add a method to determine the system version for compatibility. 2020-05-14 12:14:43 +02:00			`is_debian_ge_10`
Fix issues #14 Check 4.5_enable_apparmor too narrow 2020-05-14 12:05:56 +02:00			`if [ $FNRET = 0 ]; then`
			`warn "Start $SERVICENAME"`
			`systemctl start $SERVICENAME`
			`else`
			`warn "Set ${SETSTRING} to ${GRUBFILE} in ${GRUBFILE}, need to reboot the system and enable AppArmor profiles after setting it."`
			`sed -i "s;\(${KEYWORD}=\)\(\".*\)\(\"\);\1\2 ${SETSTRING}\3;" ${GRUBFILE}`
			`/usr/sbin/update-grub2`
			`fi`
Fix activate AppArmor audit and apply methods 2018-11-13 21:48:39 +01:00			`elif [ $FNRET = 3 ]; then`
			`warn "Enable AppArmor profiles in the system "`
Fix bug for 4.5 2018-11-21 21:07:57 +01:00			`/usr/sbin/aa-enforce /etc/apparmor.d/*`
Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`fi`
			`}`

Modify methods name: _redhat to _centos. 2020-03-05 20:57:46 +01:00			`apply_centos () {`
Fix spelling errors. 2020-06-02 10:17:39 +02:00			`ok "AppArmor is only support for Debian, So pass!"`
Modified 4.5 to be compatible with CentOS. 2019-08-02 22:49:42 +02:00			`}`

			`# This function will be called if the script status is on enabled mode`
			`apply () {`
			`if [ $OS_RELEASE -eq 1 ]; then`
			`apply_debian`
			`elif [ $OS_RELEASE -eq 2 ]; then`
Modify methods name: _redhat to _centos. 2020-03-05 20:57:46 +01:00			`apply_centos`
Modified 4.5 to be compatible with CentOS. 2019-08-02 22:49:42 +02:00			`else`
			`crit "Current OS is not support!"`
			`fi`
			`}`

Merge OVH/debian-cis projects into this Repository. 2018-08-21 22:01:50 +02:00			`# This function will check config parameters required`
			`check_config() {`
			`:`
			`}`

			`# Source Root Dir Parameter`
			`if [ -r /etc/default/cis-hardening ]; then`
			`. /etc/default/cis-hardening`
			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
			`exit 128`
			`fi`

			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
			`if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then`
			`. $CIS_ROOT_DIR/lib/main.sh`
			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`