From 20a266a7747052dd5a82c92a497ec58749f82cb0 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Mon, 21 Jun 2021 00:07:36 +0800 Subject: [PATCH] Modify related auditd checklist for --dont-auditd-by-uid --- bin/hardening/8.1.10_record_dac_edit.sh | 31 ++++++++---- .../8.1.11_record_failed_access_file.sh | 22 ++++++--- .../8.1.13_record_successful_mount.sh | 14 ++++-- bin/hardening/8.1.14_record_file_deletions.sh | 13 +++-- .../8.1.18_record_Events_netfilter.sh | 17 ++++--- .../8.1.19_record_sshkeysign_usage.sh | 17 +++++-- ...8.1.20_record_open_by_handle_at_syscall.sh | 10 ++-- ...Events_that_privileged_passwd_cmd_usage.sh | 29 +++++++---- ...s_that_privileged_priv_change_cmd_usage.sh | 41 +++++++++++----- ...vents_that_privileged_postfix_cmd_usage.sh | 17 +++++-- .../8.1.24_record_crontab_cmd_usage.sh | 10 +++- ...25_record_pam_timestamp_check_cmd_usage.sh | 10 +++- .../8.1.26_record_pam_tally_cmd_usage.sh | 11 +++-- bin/hardening/8.1.28_record_acl_cmd_usage.sh | 11 +++-- .../8.1.29_record_usermod_cmd_usage.sh | 10 +++- .../8.1.30_record_unix_update_cmd_usage.sh | 8 ++-- .../8.1.31_record_privileged_commands.sh | 15 ++++-- bin/hardening/8.1.7_record_mac_edit.sh | 48 ++++++++++++------- 18 files changed, 228 insertions(+), 106 deletions(-) diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh index 5f72f0e..c7509e8 100755 --- a/bin/hardening/8.1.10_record_dac_edit.sh +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -14,15 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' -ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -68,7 +59,27 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod' + else +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh index b33060c..3917094 100755 --- a/bin/hardening/8.1.11_record_failed_access_file.sh +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -14,12 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' -ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -65,7 +59,21 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access' + else +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh index 7500ad3..e295058 100755 --- a/bin/hardening/8.1.13_record_successful_mount.sh +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -14,10 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' -ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' - FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -63,7 +59,15 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -k mounts +-a always,exit -F arch=b32 -S mount -k mounts' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -k mounts' + else +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh index f3d9481..75aa43f 100755 --- a/bin/hardening/8.1.14_record_file_deletions.sh +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -14,9 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' -ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -63,7 +60,15 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete' + else +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.18_record_Events_netfilter.sh b/bin/hardening/8.1.18_record_Events_netfilter.sh index 6c966c3..eb7425d 100755 --- a/bin/hardening/8.1.18_record_Events_netfilter.sh +++ b/bin/hardening/8.1.18_record_Events_netfilter.sh @@ -14,11 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change --w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change --a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use --a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use' - FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -69,7 +64,17 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change +-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change +-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -k nft_persistent_use +-a always,exit -F path=/usr/sbin/nft -F perm=x -k nft_cmd_use' + else +AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change +-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change +-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use +-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.19_record_sshkeysign_usage.sh b/bin/hardening/8.1.19_record_sshkeysign_usage.sh index 9ab4f68..1784974 100755 --- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh +++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh @@ -15,11 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" -AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" - AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -72,6 +67,18 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh" + else +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh index 268cf73..73a634c 100755 --- a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh +++ b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh @@ -14,8 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -56,7 +54,13 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -k access' + else +AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh index 6d490db..af4b58b 100755 --- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh +++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh @@ -15,15 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" - AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -76,6 +67,26 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -k privileged-passwd" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd +-a always,exit -F path=/bin/chage -F perm=x -k privileged-passwd" + else +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh index 6f9a111..1a8199f 100755 --- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh +++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh @@ -15,19 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" -AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" - AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -80,6 +67,34 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/chfn -F perm=x -k privileged-priv_change" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/sudo -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/newgrp -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/chsh -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/sudoedit -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/chfn -F perm=x -k privileged-priv_change" + else +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh index d99645b..770d532 100755 --- a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh +++ b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh @@ -15,11 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' -AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix --a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' - AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -72,6 +67,18 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -k privileged-postfix' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -k privileged-postfix +-a always,exit -F path=/sbin/postqueue -F perm=x -k privileged-postfix' + else +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh index f36f46d..998386e 100755 --- a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh +++ b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh @@ -15,8 +15,6 @@ HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' -AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -69,6 +67,14 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -k privileged-cron' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -k privileged-cron' + else +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh index 41ac3be..26d6444 100755 --- a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh +++ b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh @@ -15,8 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' -AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -69,6 +67,14 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -k privileged-pam' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -k privileged-pam' + else +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh index b3f4b17..81d9052 100755 --- a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh +++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh @@ -15,9 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam --a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' - # This function will be called if the script status is on enabled / audit mode audit () { # This feature is only for debian @@ -78,7 +75,13 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -k privileged-pam +-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -k privileged-pam' + else +AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam +-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.28_record_acl_cmd_usage.sh b/bin/hardening/8.1.28_record_acl_cmd_usage.sh index a8c91df..a131b28 100755 --- a/bin/hardening/8.1.28_record_acl_cmd_usage.sh +++ b/bin/hardening/8.1.28_record_acl_cmd_usage.sh @@ -16,9 +16,6 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' - # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one @@ -69,7 +66,13 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -k perm_chng' + else +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh index 9595d04..75765aa 100755 --- a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh +++ b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh @@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' -AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -69,6 +67,14 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -k privileged-usermod' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -k privileged-usermod' + else +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh index 503cc55..b0386f7 100755 --- a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh +++ b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh @@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' - # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one @@ -67,7 +65,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -k privileged-unix-update' + else +AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.31_record_privileged_commands.sh b/bin/hardening/8.1.31_record_privileged_commands.sh index d645bd4..7d7bc8c 100755 --- a/bin/hardening/8.1.31_record_privileged_commands.sh +++ b/bin/hardening/8.1.31_record_privileged_commands.sh @@ -13,10 +13,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -# Find all files with setuid or setgid set -AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ -"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ --k privileged" }') FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -59,7 +55,16 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +# Find all files with setuid or setgid set +AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ +"-a always,exit -F path=" $1 " -F perm=x -k privileged" }') + else +# Find all files with setuid or setgid set +AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ +"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ +-k privileged" }') + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index 575698e..086ba34 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -17,23 +17,7 @@ HARDENING_LEVEL=4 SELINUX_PKG="selinux-basics" SELINUX_PKG_CENTOS="selinux-policy" - -SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy --a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy --a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event" - APPARMOR_PKG="apparmor" -AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy --w /etc/apparmor.d/ -p wa -k MAC-policy --a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy' FILE='/etc/audit/rules.d/audit.rules' @@ -108,7 +92,37 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/bin/chcon -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/bin/newrole -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/semanage -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -k MAC_Event" +AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy +-a always,exit -F path=/sbin/apparmor_parser -F perm=x -k MAC-policy' +else +SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event" +AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy +-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy' + fi } # Source Root Dir Parameter