From 7e3e7421be8d4beea5be8941dc7b52ef8a02d3e0 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Wed, 8 Jan 2025 13:48:47 +0100
Subject: [PATCH] Fix auditd rule to watch apparmor instead of selinux on
 Ubuntu

---
 .../bash/shared.sh                            |  7 +++
 .../oval/shared.xml                           | 59 +++++++++++++++----
 .../audit_rules_mac_modification/rule.yml     | 12 +++-
 .../tests/auditctl_correct.pass.sh            |  5 ++
 .../auditctl_correct_without_key.pass.sh      |  5 ++
 .../tests/augen_correct.pass.sh               |  6 ++
 .../tests/augen_correct_without_key.pass.sh   |  5 ++
 7 files changed, 87 insertions(+), 12 deletions(-)

diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh
index 67a97f3b3cc..90d4d210171 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/bash/shared.sh
@@ -1,5 +1,12 @@
 # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+{{% if 'ubuntu' not in product %}}
 {{{ bash_fix_audit_watch_rule("auditctl", "/etc/selinux/", "wa", "MAC-policy") }}}
 {{{ bash_fix_audit_watch_rule("augenrules", "/etc/selinux/", "wa", "MAC-policy") }}}
+{{% else %}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/apparmor/", "wa", "MAC-policy") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/apparmor/", "wa", "MAC-policy") }}}
+{{{ bash_fix_audit_watch_rule("auditctl", "/etc/apparmor.d/", "wa", "MAC-policy") }}}
+{{{ bash_fix_audit_watch_rule("augenrules", "/etc/apparmor.d/", "wa", "MAC-policy") }}}
+{{% endif %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml
index 55158b3a2e5..87f8179ebe6 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml
@@ -1,40 +1,77 @@
+{{% set mac_name="SELinux" %}}
+{{% set mac_used="selinux"%}}
+{{% set mac_path="/etc/selinux" %}}
+{{% if 'ubuntu' in product %}}
+  {{% set mac_name="AppArmor" %}}
+  {{% set mac_used="apparmor"%}}
+  {{% set mac_path="/etc/apparmor" %}}
+{{% endif %}}
+
 <def-group>
   <definition class="compliance" id="audit_rules_mac_modification" version="1">
-    {{{ oval_metadata("Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled.") }}}
+    {{{ oval_metadata("Audit rules that detect changes to the system's mandatory access controls (" + mac_name + ") are enabled.") }}}
 
     <criteria operator="OR">
 
       <!-- Test the augenrules case -->
       <criteria operator="AND">
         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-        <criterion comment="audit selinux changes augenrules" test_ref="test_armm_selinux_watch_augenrules" />
+        <criterion comment="audit {{{ mac_used }}} changes augenrules" test_ref="test_armm_{{{ mac_used }}}_watch_augenrules" />
+        {{% if 'ubuntu' in product %}}
+        <criterion comment="audit {{{ mac_used }}}.d changes augenrules" test_ref="test_armm_{{{ mac_used }}}d_watch_augenrules" />
+        {{% endif %}}
       </criteria>
 
       <!-- Test the auditctl case -->
       <criteria operator="AND">
         <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
-        <criterion comment="audit selinux changes auditctl" test_ref="test_armm_selinux_watch_auditctl" />
+        <criterion comment="audit {{{ mac_used }}} changes auditctl" test_ref="test_armm_{{{ mac_used }}}_watch_auditctl" />
+        {{% if 'ubuntu' in product %}}
+        <criterion comment="audit {{{ mac_used }}}.d changes auditctl" test_ref="test_armm_{{{ mac_used }}}d_watch_auditctl" />
+        {{% endif %}}
       </criteria>
 
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" comment="audit selinux changes augenrules" id="test_armm_selinux_watch_augenrules" version="1">
-    <ind:object object_ref="object_armm_selinux_watch_augenrules" />
+  <ind:textfilecontent54_test check="all" comment="audit {{{ mac_used }}} changes augenrules" id="test_armm_{{{ mac_used }}}_watch_augenrules" version="1">
+    <ind:object object_ref="object_armm_{{{ mac_used }}}_watch_augenrules" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_armm_selinux_watch_augenrules" version="1">
+  <ind:textfilecontent54_object id="object_armm_{{{ mac_used }}}_watch_augenrules" version="1">
     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ mac_path }}}/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_test check="all" comment="audit selinux changes auditctl" id="test_armm_selinux_watch_auditctl" version="1">
-    <ind:object object_ref="object_armm_selinux_watch_auditctl" />
+  <ind:textfilecontent54_test check="all" comment="audit {{{ mac_used }}} changes auditctl" id="test_armm_{{{ mac_used }}}_watch_auditctl" version="1">
+    <ind:object object_ref="object_armm_{{{ mac_used }}}_watch_auditctl" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_armm_selinux_watch_auditctl" version="1">
+  <ind:textfilecontent54_object id="object_armm_{{{ mac_used }}}_watch_auditctl" version="1">
+    <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ mac_path }}}/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  {{% if 'ubuntu' in product %}}
+  <ind:textfilecontent54_test check="all" comment="audit {{{ mac_used }}}.d changes augenrules" id="test_armm_{{{ mac_used }}}d_watch_augenrules" version="1">
+    <ind:object object_ref="object_armm_{{{ mac_used }}}d_watch_augenrules" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_armm_{{{ mac_used }}}d_watch_augenrules" version="1">
+    <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ mac_path }}}\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" comment="audit {{{ mac_used }}}.d changes auditctl" id="test_armm_{{{ mac_used }}}d_watch_auditctl" version="1">
+    <ind:object object_ref="object_armm_{{{ mac_used }}}d_watch_auditctl" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_armm_{{{ mac_used }}}d_watch_auditctl" version="1">
     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-    <ind:pattern operation="pattern match">^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\-w[\s]+{{{ mac_path }}}\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+  {{% endif %}}
 
 </def-group>
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
index 0fd1441c3cb..263fef8a8ac 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml
@@ -7,14 +7,24 @@ description: |-
     <tt>augenrules</tt> program to read audit rules during daemon startup (the
     default), add the following line to a file with suffix <tt>.rules</tt> in the
     directory <tt>/etc/audit/rules.d</tt>:
+    {{% if 'ubuntu' in product %}}
+    <pre>-w /etc/apparmor/ -p wa -k MAC-policy</pre>
+    <pre>-w /etc/apparmor.d/ -p wa -k MAC-policy</pre>
+    {{% else %}}
     <pre>-w /etc/selinux/ -p wa -k MAC-policy</pre>
+    {{% endif %}}
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following line to
     <tt>/etc/audit/audit.rules</tt> file:
+    {{% if 'ubuntu' in product %}}
+    <pre>-w /etc/apparmor/ -p wa -k MAC-policy</pre>
+    <pre>-w /etc/apparmor.d/ -p wa -k MAC-policy</pre>
+    {{% else %}}
     <pre>-w /etc/selinux/ -p wa -k MAC-policy</pre>
+    {{% endif %}}
 
 rationale: |-
-    The system's mandatory access policy (SELinux) should not be
+    The system's mandatory access policy (SELinux or Apparmor) should not be
     arbitrarily changed by anything other than administrator action. All changes to
     MAC policy should be audited.
 
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh
index 16f737f85d1..ce766d772b0 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh
@@ -4,4 +4,9 @@
 # use auditctl
 {{{ setup_auditctl_environment() }}}
 
+{{% if 'ubuntu' in product %}}
+echo "-w /etc/apparmor/ -p wa -k MAC-policy" > /etc/audit/audit.rules
+echo "-w /etc/apparmor.d/ -p wa -k MAC-policy" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/audit.rules
+{{% endif %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct_without_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct_without_key.pass.sh
index 8de58fdcf6f..836df3c1a1d 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct_without_key.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct_without_key.pass.sh
@@ -4,4 +4,9 @@
 # use auditctl
 {{{ setup_auditctl_environment() }}}
 
+{{% if 'ubuntu' in product %}}
+echo "-w /etc/apparmor/ -p wa" > /etc/audit/audit.rules
+echo "-w /etc/apparmor.d/ -p wa" >> /etc/audit/audit.rules
+{{% else %}}
 echo "-w /etc/selinux/ -p wa" > /etc/audit/audit.rules
+{{% endif %}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh
index 85df1015da1..70d8e4e5ffe 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh
@@ -1,4 +1,10 @@
 #!/bin/bash
 # packages = audit
 
+{{% if 'ubuntu' in product %}}
+echo "-w /etc/apparmor/ -p wa -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules
+echo "-w /etc/apparmor.d/ -p wa -k MAC-policy" >> /etc/audit/rules.d/MAC-policy.rules
+{{% else %}}
 echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules
+{{% endif %}}
+
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct_without_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct_without_key.pass.sh
index 7fac367869e..b0f4a7a2b36 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct_without_key.pass.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct_without_key.pass.sh
@@ -1,4 +1,9 @@
 #!/bin/bash
 # packages = audit
 
+{{% if 'ubuntu' in product %}}
+echo "-w /etc/apparmor/ -p wa" > /etc/audit/rules.d/MAC-policy.rules
+echo "-w /etc/apparmor.d/ -p wa" >> /etc/audit/rules.d/MAC-policy.rules
+{{% else %}}
 echo "-w /etc/selinux/ -p wa" > /etc/audit/rules.d/MAC-policy.rules
+{{% endif %}}