Add check AppArmor status method to utils, and modify 4.6 and 4.7

bin/hardening/4.6_enable_selinux.sh

@@ -20,14 +20,12 @@ PROC_CMDLINE='/proc/cmdline'
 SELINUXCONF_FILE='/etc/selinux/config'
 SELINUXENFORCE_MODE='SELINUX=enforcing'
 LSM_RUN_STATUS_FILE='/sys/kernel/security/lsm'
-APPARMOR_STATUS='/usr/sbin/aa-status'
 
 audit_debian () {
-	if [ -f "$APPARMOR_STATUS" ]; then
+	check_aa_status
-		if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
+	if [ $FNRET = 0 ]; then
-			ok "AppArmor was actived. So pass."
+		ok "AppArmor was actived. So pass."
-			return 0
+		return 0
-		fi
 	fi
 	for PACKAGE in ${PACKAGES}
 	do
@@ -104,11 +102,10 @@ audit () {
 }
 
 apply_debian () {
-	if [ -f "$APPARMOR_STATUS" ]; then
+	check_aa_status
-		if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
+	if [ $FNRET = 0 ]; then
-			ok "AppArmor was actived. So pass."
+		ok "AppArmor was actived. So pass."
-			return 0
+		return 0
-		fi
 	fi
 	case $FNRET in 
 		0)	ok "SELinux is active and in Enforcing mode."

bin/hardening/4.7_enable_selinux_policy.sh

@@ -16,14 +16,12 @@ HARDENING_LEVEL=3
 
 SELINUXCONF_FILE='/etc/selinux/config'
 SELINUXTYPE_VALUE='SELINUXTYPE=default'
-APPARMOR_STATUS='/usr/sbin/aa-status'
 
 audit_debian () {
-	if [ -f "$APPARMOR_STATUS" ]; then
+	check_aa_status
-		if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
+	if [ $FNRET = 0 ]; then
-			ok "AppArmor was actived. So pass."
+		ok "AppArmor was actived. So pass."
-			return 0
+		return 0
-		fi
 	fi
 	does_valid_pattern_exist_in_file $SELINUXCONF_FILE $SELINUXTYPE_VALUE
 	if [ ${FNRET} -eq 0 ]; then
@@ -59,11 +57,10 @@ audit () {
 }
 
 apply_debian () {
-	if [ -f "$APPARMOR_STATUS" ]; then
+	check_aa_status
-		if [ $($APPARMOR_STATUS | grep 'profiles are loaded' | awk '{print $1}') -gt 0 ]; then
+	if [ $FNRET = 0 ]; then
-			ok "AppArmor was actived. So pass."
+		ok "AppArmor was actived. So pass."
-			return 0
+		return 0
-		fi
 	fi
     if [ $FNRET = 0 ]; then
 		ok "SELinux targeted policy was enabled."			

lib/utils.sh

@@ -1163,3 +1163,34 @@ uninstall_pkg ()
 	fi
 }
 
+# Check apparmor is active by aa-status
+# Only support Debian
+check_aa_status ()
+{
+	APPARMOR_STATUS='/usr/sbin/aa-status'
+	if [ -f "$APPARMOR_STATUS" ]; then
+		$APPARMOR_STATUS  > /dev/null 2>&1 
+		case $? in
+			0)	info "AppArmor is enabled and policy is loaded."
+				FNRET=0
+				;;
+			1)	info "AppArmor is not enabled/loaded."
+				FNRET=1
+				;;
+			2)	info "AppArmor enabled but no policy is loaded."
+				FNRET=2
+				;;
+			3)	info "AppArmor control files aren't available under /sys/kernel/security/."
+				FNRET=3
+				;;
+			4)	info "The user running the script doesn't have enough privileges to read the AppArmor control files."
+				FNRET=4
+				;;
+
+		esac
+	else
+		info "$APPARMOR_STATUS is not exist!"
+		FNRET=5
+	fi
+}
+