Merge "V-51337: Use an LSM at boot"

2015-10-29 23:15:56 +00:00 · 2015-10-29 23:15:56 +00:00 · 318efb2243
commit 318efb2243
parent 000e56ffe9 ec27cefbef
2 changed files with 26 additions and 0 deletions
--- a/doc/source/developer-notes/V-51337.rst
+++ b/doc/source/developer-notes/V-51337.rst
@ -0,0 +1,10 @@
+Ubuntu loads the AppArmor module by default starting with version 8.04. For
+more information, review the `AppArmor documentation`_ on Ubuntu's site.
+In addition, the openstack-ansible project configures AppArmor policies
+for the LXC containers which run the OpenStack infrastructure.
+
+The tasks for this STIG will verify that AppArmor is enabled via the
+``apparmor_status``. The playbook will fail if AppArmor is found to be
+disabled on the host.
+
+.. _AppArmor documentation: https://help.ubuntu.com/community/AppArmor
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@ -275,3 +275,19 @@
  tags:
    - cat2
    - V-38674
+
+- name: Check if AppArmor is running (for V-51337)
+  shell: "apparmor_status 2>&1 | head -n 1"
+  register: v51337_result
+  changed_when: False
+  tags:
+    - cat2
+    - V-51337
+
+- name: V-51337 - The system must use a Linux Security Module at boot time
+  fail:
+    msg: "FAILED: AppArmor isn't enabled"
+  when: "'apparmor module is loaded' not in v51337_result.stdout"
+  tags:
+    - cat2
+    - V-51337