diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh index 634d100..619ffd9 100755 --- a/bin/hardening/8.1.10_record_dac_edit.sh +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -6,6 +6,7 @@ # # 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored) +# Modify by: Samson-W (sccxboy@gmail.com) # set -e # One error, it's over diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh index 658b146..4474de3 100755 --- a/bin/hardening/8.1.11_record_failed_access_file.sh +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -6,6 +6,7 @@ # # 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored) +# Modify by: Samson-W (sccxboy@gmail.com) # set -e # One error, it's over @@ -13,23 +14,28 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' + is_64bit_arch + if [ $FNRET=0 ]; then + AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS + else + AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS + fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -41,6 +47,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -53,6 +60,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh index 4d0dc04..11b80d8 100755 --- a/bin/hardening/8.1.13_record_successful_mount.sh +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -6,6 +6,7 @@ # # 8.1.13 Collect Successful File System Mounts (Scored) +# Modify by: Samson-W (sccxboy@gmail.com) # set -e # One error, it's over @@ -13,8 +14,9 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' FILE='/etc/audit/rules.d/audit.rules' @@ -22,13 +24,16 @@ FILE='/etc/audit/rules.d/audit.rules' audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' + is_64bit_arch + if [ $FNRET=0 ]; then + AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS + else + AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS + fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -40,6 +45,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -52,6 +58,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh index 710d9e2..021de66 100755 --- a/bin/hardening/8.1.14_record_file_deletions.sh +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -6,6 +6,7 @@ # # 8.1.14 Collect File Deletion Events by User (Scored) +# Modify by: Samson-W (sccxboy@gmail.com) # set -e # One error, it's over @@ -13,21 +14,26 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' + is_64bit_arch + if [ $FNRET=0 ]; then + AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS + else + AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS + fi + for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -39,6 +45,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -51,6 +58,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh index 26a5333..29659d0 100755 --- a/bin/hardening/8.1.15_record_sudoers_edit.sh +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -21,13 +21,10 @@ FILE='/etc/audit/rules.d/audit.rules' audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -39,6 +36,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -51,6 +49,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index 81b9bd1..bbaa1b9 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -6,6 +6,7 @@ # # 8.1.17 Collect Kernel Module Loading and Unloading (Scored) +# Modify by: Samson-W (sccxboy@gmail.com) # set -e # One error, it's over @@ -13,11 +14,15 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-w /sbin/insmod -p x -k modules +ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules' +ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules' FILE='/etc/audit/rules.d/audit.rules' @@ -25,13 +30,16 @@ FILE='/etc/audit/rules.d/audit.rules' audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' + is_64bit_arch + if [ $FNRET=0 ]; then + AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS + else + AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS + fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -43,6 +51,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -55,6 +64,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index 01f6bd3..1677b91 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -6,6 +6,7 @@ # # 8.1.18 Make the Audit Configuration Immutable (Scored) +# Modify by: Samson-W (sccxboy@gmail.com) # set -e # One error, it's over @@ -20,13 +21,10 @@ FILE='/etc/audit/rules.d/audit.rules' audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -38,6 +36,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -50,6 +49,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/8.1.2_enable_auditd.sh b/bin/hardening/8.1.2_enable_auditd.sh index 6aacada..e1d8006 100755 --- a/bin/hardening/8.1.2_enable_auditd.sh +++ b/bin/hardening/8.1.2_enable_auditd.sh @@ -6,6 +6,7 @@ # # 8.1.2 Install and Enable auditd Service (Scored) +# Modify by: Samson-W (sccxboy@gmail.com) # set -e # One error, it's over diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh index e0a988b..a5608f6 100755 --- a/bin/hardening/8.1.4_record_date_time_edit.sh +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -6,6 +6,7 @@ # # 8.1.4 Record Events That Modify Date and Time Information (Scored) +# Modify by: Samson-W (sccxboy@gmail.com) # set -e # One error, it is over diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh index f72ebb4..798e163 100755 --- a/bin/hardening/8.1.5_record_user_group_edit.sh +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -24,13 +24,10 @@ FILE='/etc/audit/rules.d/audit.rules' audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -42,6 +39,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -54,6 +52,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh index 39423d2..c4a3fba 100755 --- a/bin/hardening/8.1.6_record_network_edit.sh +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -6,6 +6,7 @@ # # 8.1.6 Record Events That Modify the System's Network Environment (Scored) +# Modify by: Samson-W (sccxboy@gmail.com) # set -e # One error, it's over @@ -13,25 +14,33 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale +ARCH64_AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale' +ARCH32_AUDIT_PARAMS='-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' + is_64bit_arch + if [ $FNRET=0 ]; then + AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS + else + AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS + fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -43,6 +52,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -55,6 +65,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh index b28104a..9904416 100755 --- a/bin/hardening/8.1.8_record_login_logout.sh +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -22,13 +22,10 @@ FILE='/etc/audit/rules.d/audit.rules' audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -40,6 +37,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -52,6 +50,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh index e6bc7f1..f5ec465 100755 --- a/bin/hardening/8.1.9_record_session_init.sh +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -22,13 +22,10 @@ FILE='/etc/audit/rules.d/audit.rules' audit () { # define custom IFS and save default one d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS + IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS if [ $FNRET != 0 ]; then crit "$AUDIT_VALUE is not in file $FILE" else @@ -40,6 +37,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + d_IFS=$IFS IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" @@ -52,6 +50,7 @@ apply () { ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required