Merge pull request #23 from Samson-W/master

Add 8.1.32 8.1.33 8.1.34 for auditd rules, and rename 8.1.32 to 8.1.35
2021-06-20 21:46:34 +08:00 · 2021-06-20 21:46:34 +08:00 · 2330cea519
parent 88983fe3a9 a9dc7057ae
commit 2330cea519
6 changed files with 295 additions and 1 deletions
--- a/bin/hardening.sh
+++ b/bin/hardening.sh
@ -25,6 +25,7 @@ SET_HARDENING_LEVEL=0
 SUDO_MODE=''
 INIT_G_CONFIG=0
 FINAL_G_CONFIG=0
+DONT_BY_UID_G_CONFIG=127

 usage() {
    cat << EOF
@ -90,6 +91,10 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
           password strength and robustness;
        2. Aide reinitializes.

+    --dont-auditd-by-uid
+        Auditd rules do not use uid parameter, for all user to auditd. If set 1 will not use uid, else if 
+        set 0 will use uid.
+
 OPTIONS:

    --only <test_number>
@ -158,6 +163,10 @@ while [[ $# > 0 ]]; do
 		--final)
 			FINAL_G_CONFIG=1
 		;;
+		--dont-auditd-by-uid)
+			DONT_BY_UID_G_CONFIG="$2"
+			shift
+		;;
        *)
            usage
        ;;
@ -175,11 +184,25 @@ if [ -z "$CIS_ROOT_DIR" ]; then
    exit 128
 fi

+# For --dont-auditd-by-uid
+if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then
+	if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then
+		echo "Set dont use uid for auditd rules"
+		sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=1/g' $CIS_ROOT_DIR/etc/hardening.cfg
+	else
+		echo "Set use uid for auditd rules"
+		sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=0/g' $CIS_ROOT_DIR/etc/hardening.cfg
+	fi
+	exit 0
+fi
+
 [ -r $CIS_ROOT_DIR/lib/constants.sh  ] && . $CIS_ROOT_DIR/lib/constants.sh
 [ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
 [ -r $CIS_ROOT_DIR/lib/common.sh     ] && . $CIS_ROOT_DIR/lib/common.sh
 [ -r $CIS_ROOT_DIR/lib/utils.sh      ] && . $CIS_ROOT_DIR/lib/utils.sh

+
+
 # For --init
 if [ $INIT_G_CONFIG -eq 1 ]; then
 	if [ -r /etc/redhat-release ]; then
--- a/bin/hardening/8.1.32_record_ufw_of_debian_like.sh
+++ b/bin/hardening/8.1.32_record_ufw_of_debian_like.sh
@ -0,0 +1,101 @@
+#!/bin/bash
+
+#
+# harbian-audit for Debian GNU/Linux 7/8/9/10 Hardening
+#
+
+# This script only support Debian-like desktop, So set to x11 service list 
+# 8.1.32 Collect ufw related items (Scored)
+# Add by Author : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=4
+HARDENING_EXCEPTION=x11
+
+# Find all files with setuid or setgid set
+AUDIT_PARAMS='-a always,exit -F dir=/etc/ufw/ -F perm=wa -k ufw_config_file_chg
+-a always,exit -F path=/etc/default/ufw -F perm=wa -k ufw_config_file_chg
+-a always,exit -F path=/usr/sbin/ufw -F perm=wax -k ufw_command_wax
+'
+FILE='/etc/audit/rules.d/audit.rules'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	if [ $ISEXCEPTION -eq 1 ]; then
+		warn "Exception is set to 1, so it's pass!"
+	else
+   		# define custom IFS and save default one
+    	d_IFS=$IFS
+    	c_IFS=$'\n'
+    	IFS=$c_IFS
+    	for AUDIT_VALUE in $AUDIT_PARAMS; do
+        	debug "$AUDIT_VALUE should be in file $FILE"
+        	IFS=$d_IFS
+			RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
+			does_valid_pattern_exist_in_file $FILE "$RESULT"
+        	IFS=$c_IFS
+        	if [ $FNRET != 0 ]; then
+            	crit "$RESULT is not in file $FILE"
+        	else
+            	ok "$RESULT is present in $FILE"
+        	fi
+    	done
+    	IFS=$d_IFS
+	fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $ISEXCEPTION -eq 1 ]; then
+		warn "Exception is set to 1, so it's pass!"
+	else
+    	IFS=$'\n'
+    	for AUDIT_VALUE in $AUDIT_PARAMS; do
+        	debug "$AUDIT_VALUE should be in file $FILE"
+			RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
+			does_valid_pattern_exist_in_file $FILE "$RESULT"
+        	if [ $FNRET != 0 ]; then
+            	warn "$AUDIT_VALUE is not in file $FILE, adding it"
+            	add_end_of_file $FILE $AUDIT_VALUE
+				check_auditd_is_immutable_mode
+        	else
+            	ok "$AUDIT_VALUE is present in $FILE"
+        	fi
+    	done
+	fi
+}
+
+# This function will create the config file for this check with default values
+create_config() {
+cat <<EOF
+status=disabled
+# Put here exception to pass this case, if set is 1, don't need apply, let to pass.
+ISEXCEPTION=0
+EOF
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/8.1.33_record_iptables_restore_exec.sh
+++ b/bin/hardening/8.1.33_record_iptables_restore_exec.sh
@ -0,0 +1,81 @@
+#!/bin/bash
+
+#
+# harbian-audit for Debian GNU/Linux 9/10 Hardening
+#
+
+#
+# 8.1.33 Collect iptables-restore exec (Scored)
+# Add by Author : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=4
+
+AUDIT_PARAMS='-a always,exit -F path=/sbin/iptables-restore -F perm=x -k iptables_restore_exec
+-a always,exit -F path=/sbin/ip6tables-restore -F perm=x -k iptables_restore_exec'
+
+FILE='/etc/audit/rules.d/audit.rules'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILE"
+        IFS=$d_IFS
+		RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
+		does_valid_pattern_exist_in_file $FILE "$RESULT"
+        IFS=$c_IFS
+        if [ $FNRET != 0 ]; then
+            crit "$RESULT is not in file $FILE"
+        else
+            ok "$RESULT is present in $FILE"
+        fi
+    done
+    IFS=$d_IFS
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    IFS=$'\n'
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILE"
+		RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
+		does_valid_pattern_exist_in_file $FILE "$RESULT"
+        if [ $FNRET != 0 ]; then
+            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+            add_end_of_file $FILE $AUDIT_VALUE
+			check_auditd_is_immutable_mode
+        else
+            ok "$AUDIT_VALUE is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/8.1.34_record_file_transfer_related.sh
+++ b/bin/hardening/8.1.34_record_file_transfer_related.sh
@ -0,0 +1,84 @@
+#!/bin/bash
+
+#
+# harbian-audit for Debian GNU/Linux 9/10 Hardening
+#
+
+#
+# 8.1.34 Collect file transfer related items (Scored)
+# Add by Author : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=4
+
+AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec
+-a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec
+-a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec
+-a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec'
+
+FILE='/etc/audit/rules.d/audit.rules'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	echo "DONT_AUDITD_BY_UID $DONT_AUDITD_BY_UID"
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILE"
+        IFS=$d_IFS
+		RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
+		does_valid_pattern_exist_in_file $FILE "$RESULT"
+        IFS=$c_IFS
+        if [ $FNRET != 0 ]; then
+            crit "$RESULT is not in file $FILE"
+        else
+            ok "$RESULT is present in $FILE"
+        fi
+    done
+    IFS=$d_IFS
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    IFS=$'\n'
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILE"
+		RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
+		does_valid_pattern_exist_in_file $FILE "$RESULT"
+        if [ $FNRET != 0 ]; then
+            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+            add_end_of_file $FILE $AUDIT_VALUE
+			check_auditd_is_immutable_mode
+        else
+            ok "$AUDIT_VALUE is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi
--- a/bin/hardening/8.1.35_freeze_auditd_conf.sh
+++ b/bin/hardening/8.1.35_freeze_auditd_conf.sh
@ -5,7 +5,7 @@
 #

 #
-# 8.1.18 Make the Audit Configuration Immutable (Scored)
+# 8.1.35 Make the Audit Configuration Immutable (Scored)
 # Modify by: Samson-W (sccxboy@gmail.com)
 #

--- a/etc/hardening.cfg
+++ b/etc/hardening.cfg
@ -7,3 +7,8 @@ LOGLEVEL=info
 # Backup directory, every file modified by hardening will be backuped here, with versionning
 # Means that if a file is modified more than once during the process, you will have hardening step diffs in the folder
 BACKUPDIR="$CIS_ROOT_DIR/tmp/backups"
+
+# If set to 1, Don't use uid in auditd rules, all of the users will record to auditd log
+# If set to 0, use uid in auditd rules 
+DONT_AUDITD_BY_UID=0
+