Fix some bug for audit rules set.

bin/hardening/8.1.19_record_sshkeysign_usage.sh

@@ -10,14 +10,17 @@
 #
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
 
 HARDENING_LEVEL=4
 
-
-AUDIT_PARAMS="-a always,exit -F path=$(find /usr/ -name "ssh-keysign") -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
--a always,exit -F path=$(which ssh-agent 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
-
-set -e # One error, it's over
+if [ $OS_RELEASE -eq 1 ]; then 
+AUDIT_PARAMS="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
+elif [ $OS_RELEASE -eq 2 ]; then
+AUDIT_PARAMS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
+fi
 
 FILE='/etc/audit/rules.d/audit.rules'
 

bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh

@@ -10,15 +10,22 @@
 #
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
 
 HARDENING_LEVEL=4
 
-AUDIT_PARAMS="-a always,exit -F path=$(which passwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
--a always,exit -F path=$(which unix_chkpwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
--a always,exit -F path=$(which gpasswd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
--a always,exit -F path=$(which chage 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
+if [ $OS_RELEASE -eq 1 ]; then
+AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
+-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
+elif [ $OS_RELEASE -eq 1 ]; then
+AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
+-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
+fi
 
-set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh

@@ -10,17 +10,26 @@
 #
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
 
 HARDENING_LEVEL=4
 
-AUDIT_PARAMS="-a always,exit -F path=$(which su 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
--a always,exit -F path=$(which sudo 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
--a always,exit -F path=$(which newgrp 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
--a always,exit -F path=$(which chsh 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
--a always,exit -F path=$(which sudoedit 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
--a always,exit -F path=$(which chfn 2>/dev/null) -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
+if [ $OS_RELEASE -eq 1 ]; then
+AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
+elif [ $OS_RELEASE -eq 2 ]; then
+AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
+fi
 
-set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh

@@ -10,13 +10,18 @@
 #
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
 
 HARDENING_LEVEL=4
 
-AUDIT_PARAMS='-a always,exit -F path=$(which postdrop 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
--a always,exit -F path=$(which postqueue 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
+if [ $OS_RELEASE -eq 1 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
+if [ $OS_RELEASE -eq 2 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
+-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
+fi
 
-set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/8.1.24_record_crontab_cmd_usage.sh

@@ -10,14 +10,17 @@
 #
 
 set -u # One variable unset, it's over
-
+set -e # One error, it's over
 HARDENING_LEVEL=4
 
-AUDIT_PARAMS='-a always,exit -F path=$(which crontab 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
-
-set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 
+if [ $OS_RELEASE -eq 1 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
+elif [ $OS_RELEASE -eq 2 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
+fi
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
     # define custom IFS and save default one

bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh

@@ -10,13 +10,15 @@
 #
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
 
 HARDENING_LEVEL=4
-
-AUDIT_PARAMS='-a always,exit -F path=$(which pam_timestamp_check 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295  -k privileged-pam'
-
-set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
+if [ $OS_RELEASE -eq 1 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295  -k privileged-pam'
+elif [ $OS_RELEASE -eq 2 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295  -k privileged-pam'
+fi
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh

@@ -5,66 +5,75 @@
 #
 
 #
-# 8.1.26  Recored pam_tally/pam_tally2 command usage (Scored)
+# 8.1.26  Recored pam_tally/pam_tally2 command usage(Only for Debian) (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com> Author add this 
 #
 
 set -u # One variable unset, it's over
-
-HARDENING_LEVEL=4
-
-AUDIT_PARAMS='-a always,exit -F path=$(which pam_tally 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
--a always,exit -F path=$(which pam_tally2 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
-
 set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 
+HARDENING_LEVEL=4
+
+AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
+-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
+
 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    # define custom IFS and save default one
-    d_IFS=$IFS
-    c_IFS=$'\n'
-    IFS=$c_IFS
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-		check_audit_path $AUDIT_VALUE 
-		if [ $FNRET -eq 1 ];then
-			crit "path is not exsit! Please check file path is exist!"
-			continue
-		else
-        	debug "$AUDIT_VALUE should be in file $FILE"
-        	IFS=$d_IFS
-        	does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
-        	IFS=$c_IFS
-        	if [ $FNRET != 0 ]; then
-            	crit "$AUDIT_VALUE is not in file $FILE"
-        	else
-            	ok "$AUDIT_VALUE is present in $FILE"
-        	fi
-		fi
-    done
-    IFS=$d_IFS
+	# This feature is only for debian
+	if [ $OS_RELEASE -eq 2 ]; then
+		ok "CentOS/Redhat is not support, so pass"
+	elif [ $OS_RELEASE -eq 1 ]; then
+    	# define custom IFS and save default one
+    	d_IFS=$IFS
+    	c_IFS=$'\n'
+    	IFS=$c_IFS
+    	for AUDIT_VALUE in $AUDIT_PARAMS; do
+			check_audit_path $AUDIT_VALUE 
+			if [ $FNRET -eq 1 ];then
+				crit "path is not exsit! Please check file path is exist!"
+				continue
+			else
+        		debug "$AUDIT_VALUE should be in file $FILE"
+        		IFS=$d_IFS
+        		does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
+        		IFS=$c_IFS
+        		if [ $FNRET != 0 ]; then
+            		crit "$AUDIT_VALUE is not in file $FILE"
+        		else
+            		ok "$AUDIT_VALUE is present in $FILE"
+        		fi
+			fi
+    	done
+    	IFS=$d_IFS
+	fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply () {
-    IFS=$'\n'
-    for AUDIT_VALUE in $AUDIT_PARAMS; do
-		check_audit_path $AUDIT_VALUE 
-		if [ $FNRET -eq 1 ];then
-			crit "path is not exsit! Please check file path is exist!"
-			continue
-		else
-        	debug "$AUDIT_VALUE should be in file $FILE"
-        	does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
-        	if [ $FNRET != 0 ]; then
-            	warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            	add_end_of_file $FILE $AUDIT_VALUE
-				check_auditd_is_immutable_mode
-        	else
-            	ok "$AUDIT_VALUE is present in $FILE"
-        	fi
-		fi
-    done
+	# This feature is only for debian
+	if [ $OS_RELEASE -eq 2 ]; then
+		ok "CentOS/Redhat is not support, so pass"
+	elif [ $OS_RELEASE -eq 1 ]; then
+    	IFS=$'\n'
+    	for AUDIT_VALUE in $AUDIT_PARAMS; do
+			check_audit_path $AUDIT_VALUE 
+			if [ $FNRET -eq 1 ];then
+				crit "path is not exsit! Please check file path is exist!"
+				continue
+			else
+        		debug "$AUDIT_VALUE should be in file $FILE"
+        		does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
+        		if [ $FNRET != 0 ]; then
+            		warn "$AUDIT_VALUE is not in file $FILE, adding it"
+            		add_end_of_file $FILE $AUDIT_VALUE
+					check_auditd_is_immutable_mode
+        		else
+            		ok "$AUDIT_VALUE is present in $FILE"
+        		fi
+			fi
+    	done
+	fi
 }
 
 # This function will check config parameters required

bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh

@@ -10,16 +10,17 @@
 #
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
 
 HARDENING_LEVEL=4
 
-AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F perm=wa -k config_file_change
--a always,exit -F path=$(find /etc/ -name auditd.conf) -F perm=wa -k config_file_change
+AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
 -a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
--a always,exit -F path=$(find /etc/ -name grub) -F perm=wa -k config_file_change
--a always,exit -F path=$(find /etc/ -name fstab) -F perm=wa -k config_file_change
--a always,exit -F path=$(find /etc/ -name hosts.deny) -F perm=wa -k config_file_change
--a always,exit -F path=$(find /etc/ -name login.defs) -F perm=wa -k config_file_change
 -a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
 -a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
 -a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
@@ -27,7 +28,6 @@ AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F p
 -a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
 -a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change'
 
-set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/8.1.28_record_acl_cmd_usage.sh

@@ -8,16 +8,16 @@
 # 8.1.28  Recored Events that privileged-acl command usage (Scored)
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
+# todo to ensure path in debian 
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
+FILE='/etc/audit/rules.d/audit.rules'
 
 HARDENING_LEVEL=4
 
-AUDIT_PARAMS='-a always,exit -F path=$(which setfacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
--a always,exit -F path=$(which chacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
-
-set -e # One error, it's over
-FILE='/etc/audit/rules.d/audit.rules'
+AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/8.1.29_record_usermod_cmd_usage.sh

@@ -10,13 +10,16 @@
 #
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
+FILE='/etc/audit/rules.d/audit.rules'
 
 HARDENING_LEVEL=4
 
-AUDIT_PARAMS='-a always,exit -F path=$(which usermod 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
-
-set -e # One error, it's over
-FILE='/etc/audit/rules.d/audit.rules'
+if [ $OS_RELEASE -eq 1 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
+elif [ $OS_RELEASE -eq 2 ]; then
+AUDIT_PARAMS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
+fi
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/8.1.30_record_unix_update_cmd_usage.sh

@@ -10,13 +10,12 @@
 #
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
+FILE='/etc/audit/rules.d/audit.rules'
 
 HARDENING_LEVEL=4
 
-AUDIT_PARAMS='-a always,exit -F path=$(which unix_update 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
-
-set -e # One error, it's over
-FILE='/etc/audit/rules.d/audit.rules'
+AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
 
 # This function will be called if the script status is on enabled / audit mode
 audit () {

bin/hardening/8.1.7_record_mac_edit.sh

@@ -11,6 +11,7 @@
 # todo test for centos
 
 set -u # One variable unset, it's over
+set -e # One error, it's over
 
 HARDENING_LEVEL=4
 
@@ -19,17 +20,16 @@ SELINUX_PKG_REDHAT="selinux-policy"
 
 SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
 -a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
--a always,exit -F path=$(which chcon 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
--a always,exit -F path=$(which semanage 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng
--a always,exit -F path=$(which setsebool 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng
--a always,exit -F path=$(which setfiles 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng"
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k perm_chng"
 
 APPARMOR_PKG="apparmor"
 AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
 -w /etc/apparmor.d/ -p wa -k MAC-policy
 -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
 
-set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'
 
 # This function will be called if the script status is on enabled / audit mode

bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh

@@ -41,7 +41,9 @@ apply () {
 	else
 		warn  "Permissions of all log files are not correctly configured! Set it"
 		chmod -R $PERMISS_SET $LOGDIR/*
-		rm $ERRPERFILELIST
+		if [ -r $ERRPERFILELIST ]; then
+			rm $ERRPERFILELIST
+		fi
 	fi
 }