tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #24 from Samson-W/master 

Modify auditd related check items to apply -dont-auditd-by-uid and check_audit_path.
This commit is contained in:
Samson.W 2021-06-22 21:51:36 +08:00 committed by GitHub
parent 2330cea519 e45da09761
commit 8a02a3638c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 599 additions and 301 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
bin/hardening.sh
View File

@ -91,9 +91,9 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
password strength and robustness;
2. Aide reinitializes.
--dont-auditd-by-uid
--dont-auditd-by-uid <1/0>
Auditd rules do not use uid parameter, for all user to auditd. If set 1 will not use uid, else if
set 0 will use uid.
set 0 will use uid. Default is 0.
OPTIONS:
@ -185,15 +185,19 @@ if [ -z "$CIS_ROOT_DIR" ]; then
fi
# For --dont-auditd-by-uid
if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then
if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then
echo "Set dont use uid for auditd rules"
sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=1/g' $CIS_ROOT_DIR/etc/hardening.cfg
else
echo "Set use uid for auditd rules"
sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=0/g' $CIS_ROOT_DIR/etc/hardening.cfg
if [ -z "$DONT_BY_UID_G_CONFIG" ]; then
usage
else
if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then
if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then
echo "Set dont use uid for auditd rules"
sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=1/g' $CIS_ROOT_DIR/etc/hardening.cfg
else
echo "Set use uid for auditd rules"
sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=0/g' $CIS_ROOT_DIR/etc/hardening.cfg
fi
exit 0
fi
exit 0
fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
@ -201,8 +205,6 @@ fi
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# For --init
if [ $INIT_G_CONFIG -eq 1 ]; then
if [ -r /etc/redhat-release ]; then

65
bin/hardening/8.1.10_record_dac_edit.sh
View File

@ -14,15 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -38,11 +29,17 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
ok "$AUDIT_VALUE is present in $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -54,13 +51,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -68,7 +71,27 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
fi
}
# Source Root Dir Parameter

22
bin/hardening/8.1.11_record_failed_access_file.sh
View File

@ -14,12 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -65,7 +59,21 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
fi
}
# Source Root Dir Parameter

14
bin/hardening/8.1.13_record_successful_mount.sh
View File

@ -14,10 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -63,7 +59,15 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -k mounts
-a always,exit -F arch=b32 -S mount -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -k mounts'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
fi
}
# Source Root Dir Parameter

13
bin/hardening/8.1.14_record_file_deletions.sh
View File

@ -14,9 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -63,7 +60,15 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
fi
}
# Source Root Dir Parameter

36
bin/hardening/8.1.15_record_sudoers_edit.sh
View File

@ -24,11 +24,17 @@ audit () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -40,13 +46,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS

21
bin/hardening/8.1.16_record_sudo_usage.sh
View File

@ -22,12 +22,17 @@ audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
FNRET=1
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
FNRET=2
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
IFS=$d_IFS
}
@ -37,10 +42,12 @@ apply () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
if [ $FNRET = 1 ]; then
if [ $FNRET = 2 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
elif [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
else
ok "$AUDIT_VALUE is present in $FILE"
fi

38
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -41,12 +41,18 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -57,13 +63,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS

17
bin/hardening/8.1.18_record_Events_netfilter.sh
View File

@ -14,11 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -69,7 +64,17 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /usr/sbin/netfilter-persistent -p x -k nft_persistent_use
-w /usr/sbin/nft -p x -k nft_cmd_use'
else
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /usr/sbin/netfilter-persistent -p x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-w /usr/sbin/nft -p x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use'
fi
}
# Source Root Dir Parameter

17
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -15,11 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -72,6 +67,18 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

10
bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh
View File

@ -14,8 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -56,7 +54,13 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -k access'
else
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
fi
}
# Source Root Dir Parameter

29
bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
View File

@ -15,15 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -76,6 +67,26 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -k privileged-passwd"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

41
bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
View File

@ -15,19 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -80,6 +67,34 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -k privileged-priv_change"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

17
bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
View File

@ -15,11 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -72,6 +67,18 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -k privileged-postfix'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

10
bin/hardening/8.1.24_record_crontab_cmd_usage.sh
View File

@ -15,8 +15,6 @@ HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -69,6 +67,14 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -k privileged-cron'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

10
bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh
View File

@ -15,8 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -69,6 +67,14 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

11
bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
View File

@ -15,9 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
# This function will be called if the script status is on enabled / audit mode
audit () {
# This feature is only for debian
@ -78,7 +75,13 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -k privileged-pam'
else
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
}
# Source Root Dir Parameter

11
bin/hardening/8.1.28_record_acl_cmd_usage.sh
View File

@ -16,9 +16,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -69,7 +66,13 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -k perm_chng'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
fi
}
# Source Root Dir Parameter

10
bin/hardening/8.1.29_record_usermod_cmd_usage.sh
View File

@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -69,6 +67,14 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -k privileged-usermod'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

8
bin/hardening/8.1.30_record_unix_update_cmd_usage.sh
View File

@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -67,7 +65,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -k privileged-unix-update'
else
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
fi
}
# Source Root Dir Parameter

65
bin/hardening/8.1.34_record_file_transfer_related.sh → bin/hardening/8.1.31_record_file_transfer_related.sh
View File

@ -5,7 +5,7 @@
#
#
# 8.1.34 Collect file transfer related items (Scored)
# 8.1.31 Collect file transfer related items (Scored)
# Add by Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -14,11 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -30,15 +25,21 @@ audit () {
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
fi
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -48,21 +49,37 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec'
fi
}
# Source Root Dir Parameter

44
bin/hardening/8.1.32_record_ufw_of_debian_like.sh
View File

@ -33,14 +33,20 @@ audit () {
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -55,14 +61,20 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
fi

44
bin/hardening/8.1.33_record_iptables_restore_exec.sh
View File

@ -27,14 +27,20 @@ audit () {
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$RESULT is not in file $FILE"
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -45,14 +51,20 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}

17
bin/hardening/8.1.31_record_privileged_commands.sh → bin/hardening/8.1.34_record_privileged_commands.sh
View File

@ -5,7 +5,7 @@
#
#
# 8.1.31 Collect Use of Privileged Commands (Scored)
# 8.1.34 Collect Use of Privileged Commands (Scored)
#
set -e # One error, it's over
@ -13,10 +13,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
-k privileged" }')
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -59,7 +55,16 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -k privileged" }')
else
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
-k privileged" }')
fi
}
# Source Root Dir Parameter

38
bin/hardening/8.1.4_record_date_time_edit.sh
View File

@ -39,11 +39,17 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE ""$AUDIT_VALUE""
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE ""$AUDIT_VALUE""
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -55,14 +61,20 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE ""$AUDIT_VALUE""
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE ""$AUDIT_VALUE""
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}

38
bin/hardening/8.1.5_record_user_group_edit.sh
View File

@ -27,12 +27,18 @@ audit () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -43,13 +49,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS

38
bin/hardening/8.1.6_record_network_edit.sh
View File

@ -40,12 +40,18 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -56,13 +62,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS

84
bin/hardening/8.1.7_record_mac_edit.sh
View File

@ -17,23 +17,7 @@ HARDENING_LEVEL=4
SELINUX_PKG="selinux-basics"
SELINUX_PKG_CENTOS="selinux-policy"
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event"
APPARMOR_PKG="apparmor"
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
FILE='/etc/audit/rules.d/audit.rules'
@ -62,11 +46,17 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -94,13 +84,19 @@ apply () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -108,7 +104,37 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/bin/chcon -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/bin/newrole -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -k MAC_Event"
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -k MAC-policy'
else
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event"
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
fi
}
# Source Root Dir Parameter

36
bin/hardening/8.1.8_record_login_logout.sh
View File

@ -32,11 +32,17 @@ audit () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -51,13 +57,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS

36
bin/hardening/8.1.9_record_session_init.sh
View File

@ -31,11 +31,17 @@ audit () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
@ -50,13 +56,19 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS

2
bin/hardening/8.4.1_install_aide.sh
View File

@ -15,7 +15,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
# NB : in CIS, AIDE has been chosen, however we chose tripwire
PACKAGE='aide'
PACKAGE='aide aide-common'
# This function will be called if the script status is on enabled / audit mode
audit () {

32
lib/utils.sh
View File

@ -1141,7 +1141,9 @@ yum_check_updates()
# Check path of audit rule is exist, return 0 if path string is not NULL, else return 1
# Example:
# Process only the following format:
# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or
# AUDITRULE="-a always,exit -F dir=/home/ -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or
# AUDITRULE="-w /home/ -k privileged-passwd"
# Please manually execute apt-file (Debian) / yum Provides (redhat) to ensure that the path already exists in the repository.
# example: apt-file search /usr/bin/passwd
# freedom-maker: /usr/bin/passwd-in-image
@ -1149,13 +1151,29 @@ yum_check_updates()
check_audit_path ()
{
AUDITRULE=$1
RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then
debug "File $RESULT is exist!"
FNRET=0
# Check -w style, for example: "-w /etc/shadow -p wa" "-w /etc/ -p wa"
if [[ $AUDITRULE =~ "-w" ]]; then
RESULT=$(echo $AUDITRULE | awk '{print $2}')
if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then
debug "File $RESULT is exist!"
FNRET=0
else
warn "File $RESULT is not exist!"
FNRET=1
fi
# Check -F style, for example: "-a always,exit -F path=/etc/shadow -F perm=wa" "-a always,exit -F dir=/etc/ -F perm=wa"
elif [ $(echo $AUDITRULE | grep -c "\-F.*path=") -eq 1 -o $(echo $AUDITRULE | grep -c "\-F.*dir=") -eq 1 ]; then
RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then
debug "File $RESULT is exist!"
FNRET=0
else
warn "File $RESULT is not exist!"
FNRET=1
fi
else
warn "File $RESULT is not exist!"
FNRET=1
info "This rule is not including path or dir."
FNRET=0
fi
}