From 33c9611cc51008d1d6158c3a57ec3887c16beb9e Mon Sep 17 00:00:00 2001 From: Samson-W Date: Sun, 17 May 2020 03:31:07 +0800 Subject: [PATCH] Fix issues #15 auditd check has duplicates. --- ...ecve.sh => 8.1.12_record_syscall_execve.sh} | 2 +- ...sh => 8.1.31_record_privileged_commands.sh} | 12 +++++++----- lib/utils.sh | 18 ++++++++++++++++++ 3 files changed, 26 insertions(+), 6 deletions(-) rename bin/hardening/{8.1.31_record_syscall_execve.sh => 8.1.12_record_syscall_execve.sh} (97%) rename bin/hardening/{8.1.12_record_privileged_commands.sh => 8.1.31_record_privileged_commands.sh} (83%) diff --git a/bin/hardening/8.1.31_record_syscall_execve.sh b/bin/hardening/8.1.12_record_syscall_execve.sh similarity index 97% rename from bin/hardening/8.1.31_record_syscall_execve.sh rename to bin/hardening/8.1.12_record_syscall_execve.sh index 341dec1..0cd8549 100755 --- a/bin/hardening/8.1.31_record_syscall_execve.sh +++ b/bin/hardening/8.1.12_record_syscall_execve.sh @@ -5,7 +5,7 @@ # # -# 8.1.31 Collect the execution of privileged functions Events (Scored) +# 8.1.12 Collect the execution of privileged functions Events (Scored) # Author: Samson-W (sccxboy@gmail.com) # diff --git a/bin/hardening/8.1.12_record_privileged_commands.sh b/bin/hardening/8.1.31_record_privileged_commands.sh similarity index 83% rename from bin/hardening/8.1.12_record_privileged_commands.sh rename to bin/hardening/8.1.31_record_privileged_commands.sh index 5a6e494..6dd43a1 100755 --- a/bin/hardening/8.1.12_record_privileged_commands.sh +++ b/bin/hardening/8.1.31_record_privileged_commands.sh @@ -5,7 +5,7 @@ # # -# 8.1.12 Collect Use of Privileged Commands (Scored) +# 8.1.31 Collect Use of Privileged Commands (Scored) # set -e # One error, it's over @@ -28,12 +28,13 @@ audit () { for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" IFS=$c_IFS if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" + crit "$RESULT is not in file $FILE" else - ok "$AUDIT_VALUE is present in $FILE" + ok "$RESULT is present in $FILE" fi done IFS=$d_IFS @@ -44,7 +45,8 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE diff --git a/lib/utils.sh b/lib/utils.sh index dc17a3b..4cca23e 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -211,7 +211,25 @@ does_pattern_exist_in_file() { debug "File $FILE is not readable!" FNRET=2 fi +} +# Check after deleting blank lines and comment lines +does_valid_pattern_exist_in_file() { + local FILE=$1 + local PATTERN=$2 + + debug "Checking if $PATTERN is present in $FILE" + if $SUDO_CMD [ -r "$FILE" ] ; then + debug "$SUDO_CMD sed '/^#/d' $FILE | sed '/^$/d' | grep -c '$PATTERN'" + if [ $($SUDO_CMD sed '/^#/d' $FILE | sed '/^$/d' | grep -c "$PATTERN") -gt 0 ]; then + FNRET=0 + else + FNRET=1 + fi + else + debug "File $FILE is not readable!" + FNRET=2 + fi } add_end_of_file() {