Add check AppArmor status method to utils, and modify 4.6 and 4.7

2020-06-29 17:51:19 +08:00 · 2020-06-29 17:51:19 +08:00 · bf73f53554
parent 9c29558fad
commit bf73f53554
3 changed files with 47 additions and 22 deletions
--- a/bin/hardening/4.6_enable_selinux.sh
+++ b/bin/hardening/4.6_enable_selinux.sh
@ -20,14 +20,12 @@ PROC_CMDLINE='/proc/cmdline'
 SELINUXCONF_FILE='/etc/selinux/config'
 SELINUXENFORCE_MODE='SELINUX=enforcing'
 LSM_RUN_STATUS_FILE='/sys/kernel/security/lsm'
-APPARMOR_STATUS='/usr/sbin/aa-status'

 audit_debian () {
-	if [ -f "$APPARMOR_STATUS" ]; then
-		if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
-			ok "AppArmor was actived. So pass."
-			return 0
-		fi
+	check_aa_status
+	if [ $FNRET = 0 ]; then
+		ok "AppArmor was actived. So pass."
+		return 0
 	fi
 	for PACKAGE in ${PACKAGES}
 	do
@ -104,11 +102,10 @@ audit () {
 }

 apply_debian () {
-	if [ -f "$APPARMOR_STATUS" ]; then
-		if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
-			ok "AppArmor was actived. So pass."
-			return 0
-		fi
+	check_aa_status
+	if [ $FNRET = 0 ]; then
+		ok "AppArmor was actived. So pass."
+		return 0
 	fi
 	case $FNRET in 
 		0)	ok "SELinux is active and in Enforcing mode."
--- a/bin/hardening/4.7_enable_selinux_policy.sh
+++ b/bin/hardening/4.7_enable_selinux_policy.sh
@ -16,14 +16,12 @@ HARDENING_LEVEL=3

 SELINUXCONF_FILE='/etc/selinux/config'
 SELINUXTYPE_VALUE='SELINUXTYPE=default'
-APPARMOR_STATUS='/usr/sbin/aa-status'

 audit_debian () {
-	if [ -f "$APPARMOR_STATUS" ]; then
-		if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
-			ok "AppArmor was actived. So pass."
-			return 0
-		fi
+	check_aa_status
+	if [ $FNRET = 0 ]; then
+		ok "AppArmor was actived. So pass."
+		return 0
 	fi
 	does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXTYPE_VALUE
 	if [ ${FNRET} -eq 0 ]; then
@ -59,11 +57,10 @@ audit () {
 }

 apply_debian () {
-	if [ -f "$APPARMOR_STATUS" ]; then
-		if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
-			ok "AppArmor was actived. So pass."
-			return 0
-		fi
+	check_aa_status
+	if [ $FNRET = 0 ]; then
+		ok "AppArmor was actived. So pass."
+		return 0
 	fi
    if [ $FNRET = 0 ]; then
 		ok "SELinux targeted policy was enabled."			
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -1163,3 +1163,34 @@ uninstall_pkg ()
 	fi
 }

+# Check apparmor is active by aa-status
+# Only support Debian
+check_aa_status ()
+{
+	APPARMOR_STATUS='/usr/sbin/aa-status'
+	if [ -f "$APPARMOR_STATUS" ]; then
+		$APPARMOR_STATUS  > /dev/null 2>&1 
+		case $? in
+			0)	info "AppArmor is enabled and policy is loaded."
+				FNRET=0
+				;;
+			1)	info "AppArmor is not enabled/loaded."
+				FNRET=1
+				;;
+			2)	info "AppArmor enabled but no policy is loaded."
+				FNRET=2
+				;;
+			3)	info "AppArmor control files aren't available under /sys/kernel/security/."
+				FNRET=3
+				;;
+			4)	info "The user running the script doesn't have enough privileges to read the AppArmor control files."
+				FNRET=4
+				;;
+
+		esac
+	else
+		info "$APPARMOR_STATUS is not exist!"
+		FNRET=5
+	fi
+}
+