tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add a method when the system architecture is 32-bit for some audit check.

This commit is contained in:
Samson-W 2019-04-15 01:45:32 +08:00
parent 8b59848f42
commit 40246ee3b7
13 changed files with 88 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bin/hardening/8.1.10_record_dac_edit.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over

18
bin/hardening/8.1.11_record_failed_access_file.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
@ -13,23 +14,28 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -41,6 +47,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -53,6 +60,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

17
bin/hardening/8.1.13_record_successful_mount.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.13 Collect Successful File System Mounts (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
@ -13,8 +14,9 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
FILE='/etc/audit/rules.d/audit.rules'
@ -22,13 +24,16 @@ FILE='/etc/audit/rules.d/audit.rules'
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -40,6 +45,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -52,6 +58,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

18
bin/hardening/8.1.14_record_file_deletions.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.14 Collect File Deletion Events by User (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
@ -13,21 +14,26 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -39,6 +45,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -51,6 +58,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

7
bin/hardening/8.1.15_record_sudoers_edit.sh
View File

@ -21,13 +21,10 @@ FILE='/etc/audit/rules.d/audit.rules'
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -39,6 +36,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -51,6 +49,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

20
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.17 Collect Kernel Module Loading and Unloading (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
@ -13,11 +14,15 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules'
ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules'
FILE='/etc/audit/rules.d/audit.rules'
@ -25,13 +30,16 @@ FILE='/etc/audit/rules.d/audit.rules'
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -43,6 +51,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -55,6 +64,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

8
bin/hardening/8.1.18_freeze_auditd_conf.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.18 Make the Audit Configuration Immutable (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
@ -20,13 +21,10 @@ FILE='/etc/audit/rules.d/audit.rules'
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -38,6 +36,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -50,6 +49,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

1
bin/hardening/8.1.2_enable_auditd.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.2 Install and Enable auditd Service (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over

1
bin/hardening/8.1.4_record_date_time_edit.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.4 Record Events That Modify Date and Time Information (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it is over

7
bin/hardening/8.1.5_record_user_group_edit.sh
View File

@ -24,13 +24,10 @@ FILE='/etc/audit/rules.d/audit.rules'
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -42,6 +39,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -54,6 +52,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

21
bin/hardening/8.1.6_record_network_edit.sh
View File

@ -6,6 +6,7 @@
#
# 8.1.6 Record Events That Modify the System's Network Environment (Scored)
# Modify by: Samson-W (sccxboy@gmail.com)
#
set -e # One error, it's over
@ -13,25 +14,33 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
ARCH64_AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale'
ARCH32_AUDIT_PARAMS='-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
is_64bit_arch
if [ $FNRET=0 ]; then
AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS
else
AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -43,6 +52,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -55,6 +65,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

7
bin/hardening/8.1.8_record_login_logout.sh
View File

@ -22,13 +22,10 @@ FILE='/etc/audit/rules.d/audit.rules'
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -40,6 +37,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -52,6 +50,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required

7
bin/hardening/8.1.9_record_session_init.sh
View File

@ -22,13 +22,10 @@ FILE='/etc/audit/rules.d/audit.rules'
audit () {
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
@ -40,6 +37,7 @@ audit () {
# This function will be called if the script status is on enabled mode
apply () {
d_IFS=$IFS
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
@ -52,6 +50,7 @@ apply () {
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required