diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-21 18:14:55 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2020-03-21 18:14:55 +0300 |
commit | e0e2096a25a45a3ea03133cb2247a638f564ec49 (patch) | |
tree | d4540a0c5ff06ec5a9bc9eb9f3ff97c20bbccbd0 /include/tests_mac_frameworks | |
parent | 695eef64ade2ce3413c16ce91105787460d0708b (diff) |
Enhance AppArmor check
Count and log unconfined processes which have no AppArmor profile
applied.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'include/tests_mac_frameworks')
-rw-r--r-- | include/tests_mac_frameworks | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index d6d40a6b..94f2065d 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -75,6 +75,12 @@ Report "apparmor_enabled=1" Report "apparmor_policy_loaded=1" AddHP 3 3 + # ignore kernel threads (Parent PID = 2 [kthreadd]) + NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} --lines) + Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes" + for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do + LogText "Result: Unconfined process: ${PROCESS}" + done elif [ $? -eq 4 ]; then LogText "Result: Can not determine status, most likely due to lacking permissions" Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED |