Fix bug: audit.rules file path error.
This commit is contained in:
Samson-W
parent
2c74d17d7a
commit
145de31c21
bin/hardening
8.1.10_record_dac_edit.sh8.1.11_record_failed_access_file.sh8.1.12_record_privileged_commands.sh8.1.13_record_successful_mount.sh8.1.14_record_file_deletions.sh8.1.15_record_sudoers_edit.sh8.1.16_record_sudo_usage.sh8.1.17_record_kernel_modules.sh8.1.18_freeze_auditd_conf.sh8.1.19_record_sshkeysign_usage.sh8.1.20_record_open_by_handle_at_syscall.sh8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh8.1.24_record_crontab_cmd_usage.sh8.1.25_record_pam_timestamp_check_cmd_usage.sh8.1.26_record_pam_tally_cmd_usage.sh8.1.4_record_date_time_edit.sh8.1.5_record_user_group_edit.sh8.1.6_record_network_edit.sh8.1.7_record_mac_edit.sh8.1.8_record_login_logout.sh8.1.9_record_session_init.sh
|
|
@ -19,7 +19,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
|
|||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
|
|||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ SUDO_CMD='sudo -n'
|
|||
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
|
||||
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
|
||||
-k privileged" }')
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967
|
|||
-a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=4294967295 -k mounts
|
||||
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k mounts'
|
||||
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=4
|
|||
|
||||
AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
|
||||
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ HARDENING_LEVEL=4
|
|||
|
||||
AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
|
||||
-w /etc/sudoers.d/ -p wa -k sudoers'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
|||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
|
|||
-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
|
||||
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules'
|
||||
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
|||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-e 2'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
|
|||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ HARDENING_LEVEL=4
|
|||
|
||||
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ AUDIT_PARAMS='-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F
|
|||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd'
|
||||
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ AUDIT_PARAMS='-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=42
|
|||
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change'
|
||||
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ HARDENING_LEVEL=4
|
|||
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
|
|||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ set -u # One variable unset, it's over
|
|||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ HARDENING_LEVEL=4
|
|||
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
|
||||
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-cha
|
|||
-a always,exit -F arch=b64 -S clock_settime -k time-change
|
||||
-a always,exit -F arch=b32 -S clock_settime -k time-change
|
||||
-w /etc/localtime -p wa -k time-change'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ AUDIT_PARAMS='-w /etc/group -p wa -k identity
|
|||
-w /etc/gshadow -p wa -k identity
|
||||
-w /etc/shadow -p wa -k identity
|
||||
-w /etc/security/opasswd -p wa -k identity'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k syst
|
|||
-w /etc/issue.net -p wa -k system-locale
|
||||
-w /etc/hosts -p wa -k system-locale
|
||||
-w /etc/network -p wa -k system-locale'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ set -u # One variable unset, it's over
|
|||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ HARDENING_LEVEL=4
|
|||
AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
|
||||
-w /var/log/lastlog -p wa -k logins
|
||||
-w /var/log/tallylog -p wa -k logins'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ HARDENING_LEVEL=4
|
|||
AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
|
||||
-w /var/log/wtmp -p wa -k session
|
||||
-w /var/log/btmp -p wa -k session'
|
||||
FILE='/etc/audit/audit.rules'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
|
|||
Loading…
Reference in New Issue