Modify related auditd checklist for --dont-auditd-by-uid
This commit is contained in:
Samson-W
parent
6209e876e1
commit
20a266a774
|
|
@ -14,15 +14,6 @@ set -u # One variable unset, it's over
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -68,7 +59,27 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
|
||||
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
|
||||
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
|
||||
else
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -14,12 +14,6 @@ set -u # One variable unset, it's over
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -65,7 +59,21 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
|
||||
else
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -14,10 +14,6 @@ set -u # One variable unset, it's over
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
|
||||
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
|
||||
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -63,7 +59,15 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -k mounts
|
||||
-a always,exit -F arch=b32 -S mount -k mounts'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -k mounts'
|
||||
else
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
|
||||
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -14,9 +14,6 @@ set -u # One variable unset, it's over
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
|
||||
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -63,7 +60,15 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete
|
||||
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
|
||||
else
|
||||
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
|
||||
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
|
||||
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -14,11 +14,6 @@ set -u # One variable unset, it's over
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
|
||||
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
|
||||
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
|
||||
-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use'
|
||||
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -69,7 +64,17 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
|
||||
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
|
||||
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -k nft_persistent_use
|
||||
-a always,exit -F path=/usr/sbin/nft -F perm=x -k nft_cmd_use'
|
||||
else
|
||||
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
|
||||
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
|
||||
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
|
||||
-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -15,11 +15,6 @@ set -e # One error, it's over
|
|||
HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -72,6 +67,18 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
|
||||
else
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
fi
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
|
|
|
|||
|
|
@ -14,8 +14,6 @@ set -u # One variable unset, it's over
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -56,7 +54,13 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -k access
|
||||
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -k access'
|
||||
else
|
||||
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -15,15 +15,6 @@ set -e # One error, it's over
|
|||
HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
|
||||
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -76,6 +67,26 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
|
||||
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/chage -F perm=x -k privileged-passwd"
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
|
||||
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
|
||||
-a always,exit -F path=/bin/chage -F perm=x -k privileged-passwd"
|
||||
else
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
|
||||
fi
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
|
|
|
|||
|
|
@ -15,19 +15,6 @@ set -e # One error, it's over
|
|||
HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
|
||||
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -80,6 +67,34 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/newgrp -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/chsh -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/chfn -F perm=x -k privileged-priv_change"
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/sudo -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/newgrp -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/chsh -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/sudoedit -F perm=x -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/chfn -F perm=x -k privileged-priv_change"
|
||||
else
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
|
||||
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
|
||||
fi
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
|
|
|
|||
|
|
@ -15,11 +15,6 @@ set -e # One error, it's over
|
|||
HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -72,6 +67,18 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -k privileged-postfix
|
||||
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -k privileged-postfix'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -k privileged-postfix
|
||||
-a always,exit -F path=/sbin/postqueue -F perm=x -k privileged-postfix'
|
||||
else
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
fi
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
|
|
|
|||
|
|
@ -15,8 +15,6 @@ HARDENING_LEVEL=4
|
|||
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -69,6 +67,14 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -k privileged-cron'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -k privileged-cron'
|
||||
else
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
fi
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
|
|
|
|||
|
|
@ -15,8 +15,6 @@ set -e # One error, it's over
|
|||
HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -69,6 +67,14 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
|
||||
else
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
fi
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
|
|
|
|||
|
|
@ -15,9 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
|
||||
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
# This feature is only for debian
|
||||
|
|
@ -78,7 +75,13 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -k privileged-pam
|
||||
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -k privileged-pam'
|
||||
else
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
|
||||
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -16,9 +16,6 @@ FILE='/etc/audit/rules.d/audit.rules'
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
|
||||
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
# define custom IFS and save default one
|
||||
|
|
@ -69,7 +66,13 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -k perm_chng
|
||||
-a always,exit -F path=/usr/bin/chacl -F perm=x -k perm_chng'
|
||||
else
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
|
||||
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -69,6 +67,14 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -k privileged-usermod'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -k privileged-usermod'
|
||||
else
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
fi
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
|
|
|
|||
|
|
@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
# define custom IFS and save default one
|
||||
|
|
@ -67,7 +65,11 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -k privileged-unix-update'
|
||||
else
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -13,10 +13,6 @@ set -u # One variable unset, it's over
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
# Find all files with setuid or setgid set
|
||||
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
|
||||
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
|
||||
-k privileged" }')
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
|
|
@ -59,7 +55,16 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
# Find all files with setuid or setgid set
|
||||
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
|
||||
"-a always,exit -F path=" $1 " -F perm=x -k privileged" }')
|
||||
else
|
||||
# Find all files with setuid or setgid set
|
||||
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
|
||||
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
|
||||
-k privileged" }')
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -17,23 +17,7 @@ HARDENING_LEVEL=4
|
|||
|
||||
SELINUX_PKG="selinux-basics"
|
||||
SELINUX_PKG_CENTOS="selinux-policy"
|
||||
|
||||
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
|
||||
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
|
||||
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event"
|
||||
|
||||
APPARMOR_PKG="apparmor"
|
||||
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
|
||||
-w /etc/apparmor.d/ -p wa -k MAC-policy
|
||||
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
|
||||
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
|
|
@ -108,7 +92,37 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
|
||||
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
|
||||
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
|
||||
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -k MAC_Event
|
||||
-a always,exit -F path=/usr/bin/chcon -F perm=wax -k MAC_Event
|
||||
-a always,exit -F path=/usr/bin/newrole -F perm=wax -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -k MAC_Event"
|
||||
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
|
||||
-w /etc/apparmor.d/ -p wa -k MAC-policy
|
||||
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -k MAC-policy'
|
||||
else
|
||||
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
|
||||
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
|
||||
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
|
||||
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event"
|
||||
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
|
||||
-w /etc/apparmor.d/ -p wa -k MAC-policy
|
||||
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
Loading…
Reference in New Issue