Disable Apport Service

Description

The Apport modifies certain kernel configuration values at runtime which may decrease the overall security of the system and expose sensitive data.

The apport service can be disabled with the following command:

$ sudo systemctl mask --now apport.service

Rationale

The Apport service modifies the kernel fs.suid_dumpable configuration at runtime which prevents other hardening from being persistent. Disabling the service prevents this behavior.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'apport' 2>/dev/null | grep -q installed; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'apport.service'
"$SYSTEMCTL_EXEC" disable 'apport.service'
"$SYSTEMCTL_EXEC" mask 'apport.service'
# Disable socket activation if we have a unit file for it
if "$SYSTEMCTL_EXEC" -q list-unit-files apport.socket; then
    "$SYSTEMCTL_EXEC" stop 'apport.socket'
    "$SYSTEMCTL_EXEC" mask 'apport.socket'
fi
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'apport.service' || true

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_apport_disabled
  - unknown_severity

- name: Block Disable service apport
  block:

  - name: Disable service apport
    block:

    - name: Disable service apport
      systemd:
        name: apport.service
        enabled: 'no'
        state: stopped
        masked: 'yes'
    rescue:

    - name: Intentionally ignored previous 'Disable service apport' failure, service
        was already disabled
      meta: noop
  when: '"apport" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_apport_disabled
  - unknown_severity

- name: Unit Socket Exists - apport.socket
  command: systemctl -q list-unit-files apport.socket
  register: socket_file_exists
  changed_when: false
  failed_when: socket_file_exists.rc not in [0, 1]
  check_mode: false
  when: '"apport" in ansible_facts.packages'
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_apport_disabled
  - unknown_severity

- name: Disable socket apport
  systemd:
    name: apport.socket
    enabled: 'no'
    state: stopped
    masked: 'yes'
  when:
  - '"apport" in ansible_facts.packages'
  - socket_file_exists.stdout_lines is search("apport.socket",multiline=True)
  tags:
  - disable_strategy
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - service_apport_disabled
  - unknown_severity