Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new rule grub2_enable_apparmor #9978

Merged
merged 5 commits into from
Jan 10, 2023
Merged

Add new rule grub2_enable_apparmor #9978

merged 5 commits into from
Jan 10, 2023

Conversation

dodys
Copy link
Contributor

@dodys dodys commented Dec 15, 2022
edited

Description:

  • In Ubuntu 22.02 CIS we have: 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
  • This rule was also missing for Ubuntu 20.04 and apparently it is also missing for SLE15 (1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration) @teacup-on-rockingchair I am tagging you here as I imagine this is also needed for SUSE.

Rationale:

  • AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden.

Review Hints:

  • Audit
# grep "^\s*linux" /boot/grub/grub.cfg | grep -v "apparmor=1"
Nothing should be returned
# grep "^\s*linux" /boot/grub/grub.cfg | grep -v "security=apparmor"
Nothing should be returned
  • Remediation
    Edit /etc/default/grub and add the apparmor=1 and security=apparmor parameters to the GRUB_CMDLINE_LINUX= line
    GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"
    Run the following command to update the grub2 configuration: (Ubuntu specific here)
    # update-grub

@dodys dodys requested a review from a team as a code owner December 15, 2022 19:38
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

ubuntu2004 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@dodys dodys removed the request for review from anivan-suse January 3, 2023 14:51
@codeclimate
Copy link

codeclimate bot commented Jan 3, 2023

Code Climate has analyzed commit efca9d2 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 49.8% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 added this to the 0.1.66 milestone Jan 4, 2023
@Mab879 Mab879 added Ubuntu Ubuntu product related. New Rule Issues or pull requests related to new Rules. Update Profile Issues or pull requests related to Profiles updates. CIS CIS Benchmark related. labels Jan 4, 2023
@Mab879
Copy link
Member

Mab879 commented Jan 4, 2023

/retest

@Mab879 Mab879 self-assigned this Jan 5, 2023
Mab879
Mab879 reviewed Jan 9, 2023
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Overriding the CODEOWNERS restriction since the user who opens a PR can't approve it.

@Mab879 Mab879 merged commit c0f11a7 into ComplianceAsCode:master Jan 10, 2023
@dodys dodys deleted the grub2_enable_appamor branch April 17, 2023 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
CIS CIS Benchmark related. New Rule Issues or pull requests related to new Rules. Ubuntu Ubuntu product related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.66
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dodys @Mab879