tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-30 09:06:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix issues #16 8.1.3_audit_bootloader check not accounting entire configs

Browse Source
This commit is contained in:
Samson-W 2020-05-18 18:43:57 +08:00
parent 7e80cdc2aa
commit 44dbfbac01
1 changed files with 41 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
bin/hardening/8.1.3_audit_bootloader.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian-audit for Debian GNU/Linux 7/8/9 or CentOS 8 Hardening # harbian-audit for Debian GNU/Linux 7/8/9/10 or CentOS 8 Hardening
# Modify author: # Modify author:
# Samson-W (sccxboy@gmail.com) # Samson-W (sccxboy@gmail.com)
# #
@ -20,29 +20,31 @@ FILE='/etc/default/grub'
KEYWORD='GRUB_CMDLINE_LINUX' KEYWORD='GRUB_CMDLINE_LINUX'
OPTION='audit' OPTION='audit'
SETVAL=1 SETVAL=1
SERVICENAME='auditd.service'
PROCCMDLIN='/proc/cmdline'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
does_file_exist $FILE # Debian 10 (Buster), auditd is a system service
if [ $FNRET != 0 ]; then is_debian_ge_10
crit "$FILE does not exist" if [ $FNRET = 0 ]; then
FNRET=1 is_service_active $SERVICENAME
else if [ $FNRET -eq 0 ]; then
ok "$FILE exists, checking configuration" ok "$SERVICENAME is active!"
if [ $(grep -w "^${KEYWORD}" ${FILE} | grep -c ${OPTION}) -eq 1 ]; then FNRET=0
ok "$OPTION is present in $FILE" else
if [ $(grep -w "^${KEYWORD}" $FILE | grep -c "${OPTION}=${SETVAL}") -eq 1 ]; then crit "$SERVICENAME is inactive!"
ok "${OPTION}'s set is correctly." FNRET=1
FNRET=0 fi
else else
crit "${OPTION}'s set is not correctly." if [ $(grep -c "${OPTION}=${SETVAL}" $PROCCMDLIN) -eq 1 ]; then
FNRET=3 ok "There are "${OPTION}=${SETVAL}" in $PROCCMDLIN"
fi FNRET=0
else else
crit "$OPTION is not present in $FILE" crit "There aren't "${OPTION}=${SETVAL}" in ${PROCCMDLIN}"
FNRET=2 FNRET=1
fi fi
fi fi
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
@ -50,23 +52,24 @@ apply () {
if [ $FNRET = 0 ]; then if [ $FNRET = 0 ]; then
ok "${OPTION}'s set is correctly." ok "${OPTION}'s set is correctly."
elif [ $FNRET = 1 ]; then elif [ $FNRET = 1 ]; then
warn "$FILE does not exist, creating it" # Debian 10 (Buster), auditd is a system service
touch $FILE is_debian_ge_10
elif [ $FNRET = 2 ]; then if [ $FNRET = 0 ]; then
warn "$OPTION is not present in $FILE, add it to $KEYWORD line, need to reboot the system after setting it" warn "Start $SERVICENAME"
sed -i "s;\(${KEYWORD}=\)\(\".*\)\(\"\);\1\2 ${OPTION}=${SETVAL}\3;" $FILE systemctl start $SERVICENAME
if [ $OS_RELEASE -eq 1 ]; then else
usr/sbin/update-grub2 does_valid_pattern_exist_in_file $FILE "${OPTION}=${SETVAL}"
elif [ $OS_RELEASE -eq 2 ]; then if [ $FNRET = 0 ]; then
grub2-mkconfig o /boot/grub2/grub.cfg warn "$OPTION was present in $FILE, just need to reboot the system after setting it"
fi else
elif [ $FNRET = 3 ]; then warn "$OPTION is not present in $FILE, add it to $KEYWORD line, need to reboot the system after setting it"
warn "Parameter $OPTION is present but with the wrong value -- Fixing, need to reboot the system after setting it" sed -i "s;\(${KEYWORD}=\)\(\".*\)\(\"\);\1\2 ${OPTION}=${SETVAL}\3;" $FILE
sed -i "s/${OPTION}=./${OPTION}=${SETVAL}/" $FILE if [ $OS_RELEASE -eq 1 ]; then
if [ $OS_RELEASE -eq 1 ]; then /usr/sbin/update-grub2
usr/sbin/update-grub2 elif [ $OS_RELEASE -eq 2 ]; then
elif [ $OS_RELEASE -eq 2 ]; then grub2-mkconfig o /boot/grub2/grub.cfg
grub2-mkconfig o /boot/grub2/grub.cfg fi
fi
fi fi
fi fi
} }