From 2c74d17d7add5adcbe1ff398b1d063a84261186e Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Tue, 30 Oct 2018 04:04:32 +0800
Subject: [PATCH] Add audit and apply methods for 8.1.26

---
 .../8.1.26_record_pam_tally_cmd_usage.sh      | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100755 bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh

diff --git a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
new file mode 100755
index 0000000..5cef788
--- /dev/null
+++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+#
+# harbian audit 7/8/9  Hardening
+#
+
+#
+# 8.1.26  Recored pam_tally/pam_tally2 command usage (Scored)
+# Authors : Samson wen, Samson <sccxboy@gmail.com>
+#
+
+set -e # One error, it's over
+set -u # One variable unset, it's over
+
+HARDENING_LEVEL=4
+
+AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
+-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
+FILE='/etc/audit/audit.rules'
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILE"
+        IFS=$d_IFS
+        does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
+        IFS=$c_IFS
+        if [ $FNRET != 0 ]; then
+            crit "$AUDIT_VALUE is not in file $FILE"
+        else
+            ok "$AUDIT_VALUE is present in $FILE"
+        fi
+    done
+    IFS=$d_IFS
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+    IFS=$'\n'
+    for AUDIT_VALUE in $AUDIT_PARAMS; do
+        debug "$AUDIT_VALUE should be in file $FILE"
+        does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
+        if [ $FNRET != 0 ]; then
+            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+            add_end_of_file $FILE $AUDIT_VALUE
+            eval $(pkill -HUP -P 1 auditd)
+        else
+            ok "$AUDIT_VALUE is present in $FILE"
+        fi
+    done
+}
+
+# This function will check config parameters required
+check_config() {
+    :
+}
+
+# Source Root Dir Parameter
+if [ -r /etc/default/cis-hardening ]; then
+    . /etc/default/cis-hardening
+fi
+if [ -z "$CIS_ROOT_DIR" ]; then
+     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
+     echo "Cannot source CIS_ROOT_DIR variable, aborting."
+    exit 128
+fi
+
+# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
+if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
+    . $CIS_ROOT_DIR/lib/main.sh
+else
+    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
+    exit 128
+fi