Merge pull request ComplianceAsCode#11273 from teacup-on-rockingchair…

…/app_armor_oval_check

App armor oval check

linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/rule.yml

@@ -33,3 +33,5 @@ references:
     cis@sle15: 1.7.1.4
     cis@ubuntu2004: 1.7.1.4
     cis@ubuntu2204: 1.6.1.4
+
+platform: package[apparmor]

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/oval/shared.xml

@@ -0,0 +1,68 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Ensure AppArmor profiles are in enforce complain mode") }}}
+    <criteria operator="AND">
+      <criterion comment="Check sum of complaining and enforced profiles equals all profiles"
+        test_ref="{{{ rule_id }}}_test_sum_complain_n_enforced_equal_all" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_apparmor_profiles" version="1">
+    <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
+    <ind:pattern operation="pattern match">^.*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_apparmor_enforced_profiles" version="1">
+    <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
+    <ind:pattern operation="pattern match" datatype="string">^.*\(enforce\)$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_apparmor_complaining_profiles" version="1">
+    <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
+    <ind:pattern operation="pattern match" datatype="string">^.*\(complain\)$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_apparmor_unconfined_profiles" version="1">
+    <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
+    <ind:pattern operation="pattern match"
+      datatype="string">^\.*processes are unconfined.*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <local_variable datatype="int" id="{{{ rule_id }}}_var_num_apparmor_profiles" version="1"
+    comment="apparmor profiles">
+    <count>
+      <object_component item_field="subexpression"
+                        object_ref="{{{ rule_id }}}_obj_apparmor_profiles" />
+    </count>
+  </local_variable>
+  <local_variable datatype="int" comment="enforced apparmor profiles"
+    id="{{{ rule_id }}}_var_num_apparmor_enforced_complaining_profiles" version="1" >
+    <arithmetic arithmetic_operation="add">
+      <count>
+      <object_component item_field="subexpression"
+        object_ref="{{{ rule_id }}}_obj_apparmor_enforced_profiles" />
+      </count>
+      <count>
+      <object_component item_field="subexpression"
+        object_ref="{{{ rule_id }}}_obj_apparmor_complaining_profiles" />
+      </count>
+    </arithmetic>
+  </local_variable>
+  <local_variable datatype="int" id="{{{ rule_id }}}_var_num_apparmor_unconfined_profiles"
+    version="1" comment="apparmor profiles with unconfined processes">
+    <object_component item_field="subexpression"
+     object_ref="{{{ rule_id }}}_obj_apparmor_unconfined_profiles" />
+  </local_variable>
+
+  <ind:variable_object id="{{{ rule_id }}}_obj_all_apparmor_profiles" version="1">
+    <ind:var_ref>{{{ rule_id }}}_var_num_apparmor_profiles</ind:var_ref>
+  </ind:variable_object>
+  <ind:variable_state id="{{{ rule_id }}}_state_sum_complain_n_enforced" version="1">
+    <ind:value datatype="int" operation="equals" var_check="all"
+      var_ref="{{{ rule_id }}}_var_num_apparmor_enforced_complaining_profiles"/>
+  </ind:variable_state>
+  <ind:variable_test id="{{{ rule_id }}}_test_sum_complain_n_enforced_equal_all" check="all"
+    version="1" comment="Compare number of profiles with sum of complain and enforced">
+    <ind:object object_ref="{{{ rule_id }}}_obj_all_apparmor_profiles"/>
+    <ind:state state_ref="{{{ rule_id }}}_state_sum_complain_n_enforced"/>
+  </ind:variable_test>
+</def-group>

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/rule.yml

@@ -36,3 +36,5 @@ references:
     cis@sle15: 1.7.1.3
     cis@ubuntu2004: 1.7.1.3
     cis@ubuntu2204: 1.6.1.3
+
+platform: package[apparmor]

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/tests/correct_all_apparmor_profiles_in_complain.pass.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# packages = apparmor
 
 #Replace apparmor definitions
 apparmor_parser -q -r /etc/apparmor.d/

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/tests/correct_all_apparmor_profiles_in_enforce.pass.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# packages = apparmor
 
 #Replace apparmor definitions
 apparmor_parser -q -r /etc/apparmor.d/

linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/tests/incorrect_all_apparmor_profiles.fail.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# packages = apparmor
 
 #Configure the OS to unload all AppArmor profiles
 aa-teardown

linux_os/guide/system/apparmor/package_apparmor_installed/rule.yml

@@ -1,6 +1,5 @@
 documentation_complete: true
 
-
 title: 'Ensure AppArmor is installed'
 
 description: |-
@@ -23,3 +22,4 @@ template:
     name: package_installed
     vars:
         pkgname: apparmor
+        pkgname@sle15: apparmor-profiles

shared/applicability/package.yml

@@ -6,6 +6,12 @@ template:
 args:
   aide:
     pkgname: aide
+  apparmor:
+    {{% if product in ["sle12", "sle15"] %}}
+      pkgname: apparmor-profiles
+    {{% else %}}
+      pkgname: apparmor
+    {{% endif %}}
   apport:
     pkgname: apport
   audit: