diff --git a/bin/hardening.sh b/bin/hardening.sh index 31e5190..0c0db66 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -91,9 +91,9 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: password strength and robustness; 2. Aide reinitializes. - --dont-auditd-by-uid + --dont-auditd-by-uid <1/0> Auditd rules do not use uid parameter, for all user to auditd. If set 1 will not use uid, else if - set 0 will use uid. + set 0 will use uid. Default is 0. OPTIONS: @@ -185,15 +185,19 @@ if [ -z "$CIS_ROOT_DIR" ]; then fi # For --dont-auditd-by-uid -if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then - if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then - echo "Set dont use uid for auditd rules" - sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=1/g' $CIS_ROOT_DIR/etc/hardening.cfg - else - echo "Set use uid for auditd rules" - sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=0/g' $CIS_ROOT_DIR/etc/hardening.cfg +if [ -z "$DONT_BY_UID_G_CONFIG" ]; then + usage +else + if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then + if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then + echo "Set dont use uid for auditd rules" + sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=1/g' $CIS_ROOT_DIR/etc/hardening.cfg + else + echo "Set use uid for auditd rules" + sed -i 's/^DONT_AUDITD_BY_UID=.*/DONT_AUDITD_BY_UID=0/g' $CIS_ROOT_DIR/etc/hardening.cfg + fi + exit 0 fi - exit 0 fi [ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh @@ -201,8 +205,6 @@ fi [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh - - # For --init if [ $INIT_G_CONFIG -eq 1 ]; then if [ -r /etc/redhat-release ]; then diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh index 5f72f0e..4639b3a 100755 --- a/bin/hardening/8.1.10_record_dac_edit.sh +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -14,15 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' -ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -38,11 +29,17 @@ audit () { fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue else - ok "$AUDIT_VALUE is present in $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS @@ -54,13 +51,19 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS @@ -68,7 +71,27 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod' + else +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh index b33060c..3917094 100755 --- a/bin/hardening/8.1.11_record_failed_access_file.sh +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -14,12 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' -ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -65,7 +59,21 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access' + else +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh index 7500ad3..e295058 100755 --- a/bin/hardening/8.1.13_record_successful_mount.sh +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -14,10 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' -ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' - FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -63,7 +59,15 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -k mounts +-a always,exit -F arch=b32 -S mount -k mounts' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -k mounts' + else +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh index f3d9481..75aa43f 100755 --- a/bin/hardening/8.1.14_record_file_deletions.sh +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -14,9 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' -ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -63,7 +60,15 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete' + else +ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' +ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh index 5d30bc7..abfbd74 100755 --- a/bin/hardening/8.1.15_record_sudoers_edit.sh +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -24,11 +24,17 @@ audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS @@ -40,13 +46,19 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh index 8a8c515..15ac4ee 100755 --- a/bin/hardening/8.1.16_record_sudo_usage.sh +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -22,12 +22,17 @@ audit () { # define custom IFS and save default one d_IFS=$IFS IFS=$'\n' - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - FNRET=1 - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + FNRET=2 + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi IFS=$d_IFS } @@ -37,10 +42,12 @@ apply () { # define custom IFS and save default one d_IFS=$IFS IFS=$'\n' - if [ $FNRET = 1 ]; then + if [ $FNRET = 2 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE check_auditd_is_immutable_mode + elif [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index 9e9d33d..b620571 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -41,12 +41,18 @@ audit () { fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -57,13 +63,19 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS diff --git a/bin/hardening/8.1.18_record_Events_netfilter.sh b/bin/hardening/8.1.18_record_Events_netfilter.sh index 6c966c3..87baae6 100755 --- a/bin/hardening/8.1.18_record_Events_netfilter.sh +++ b/bin/hardening/8.1.18_record_Events_netfilter.sh @@ -14,11 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change --w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change --a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use --a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use' - FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -69,7 +64,17 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change +-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change +-w /usr/sbin/netfilter-persistent -p x -k nft_persistent_use +-w /usr/sbin/nft -p x -k nft_cmd_use' + else +AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change +-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change +-w /usr/sbin/netfilter-persistent -p x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use +-w /usr/sbin/nft -p x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.19_record_sshkeysign_usage.sh b/bin/hardening/8.1.19_record_sshkeysign_usage.sh index 9ab4f68..1784974 100755 --- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh +++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh @@ -15,11 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" -AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh --a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" - AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -72,6 +67,18 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh" + else +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh index 268cf73..73a634c 100755 --- a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh +++ b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh @@ -14,8 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -56,7 +54,13 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -k access' + else +AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh index 6d490db..af4b58b 100755 --- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh +++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh @@ -15,15 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" - AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -76,6 +67,26 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -k privileged-passwd" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd +-a always,exit -F path=/bin/chage -F perm=x -k privileged-passwd" + else +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh index 6f9a111..1a8199f 100755 --- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh +++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh @@ -15,19 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" -AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" - AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -80,6 +67,34 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -k privileged-priv_change +-a always,exit -F path=/usr/bin/chfn -F perm=x -k privileged-priv_change" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/sudo -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/newgrp -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/chsh -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/sudoedit -F perm=x -k privileged-priv_change +-a always,exit -F path=/bin/chfn -F perm=x -k privileged-priv_change" + else +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" +AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh index d99645b..770d532 100755 --- a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh +++ b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh @@ -15,11 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix --a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' -AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix --a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' - AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -72,6 +67,18 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -k privileged-postfix' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -k privileged-postfix +-a always,exit -F path=/sbin/postqueue -F perm=x -k privileged-postfix' + else +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh index f36f46d..998386e 100755 --- a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh +++ b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh @@ -15,8 +15,6 @@ HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' -AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -69,6 +67,14 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -k privileged-cron' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -k privileged-cron' + else +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh index 41ac3be..26d6444 100755 --- a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh +++ b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh @@ -15,8 +15,6 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' -AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -69,6 +67,14 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -k privileged-pam' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -k privileged-pam' + else +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh index b3f4b17..81d9052 100755 --- a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh +++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh @@ -15,9 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam --a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' - # This function will be called if the script status is on enabled / audit mode audit () { # This feature is only for debian @@ -78,7 +75,13 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -k privileged-pam +-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -k privileged-pam' + else +AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam +-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.28_record_acl_cmd_usage.sh b/bin/hardening/8.1.28_record_acl_cmd_usage.sh index a8c91df..a131b28 100755 --- a/bin/hardening/8.1.28_record_acl_cmd_usage.sh +++ b/bin/hardening/8.1.28_record_acl_cmd_usage.sh @@ -16,9 +16,6 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' - # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one @@ -69,7 +66,13 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -k perm_chng' + else +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh index 9595d04..75765aa 100755 --- a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh +++ b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh @@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' -AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode @@ -69,6 +67,14 @@ apply () { # This function will check config parameters required check_config() { + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -k privileged-usermod' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -k privileged-usermod' + else +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' + fi + if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN elif [ $OS_RELEASE -eq 2 ]; then diff --git a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh index 503cc55..b0386f7 100755 --- a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh +++ b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh @@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' - # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one @@ -67,7 +65,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -k privileged-unix-update' + else +AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.34_record_file_transfer_related.sh b/bin/hardening/8.1.31_record_file_transfer_related.sh similarity index 54% rename from bin/hardening/8.1.34_record_file_transfer_related.sh rename to bin/hardening/8.1.31_record_file_transfer_related.sh index 996ecc2..0b5ce6f 100755 --- a/bin/hardening/8.1.34_record_file_transfer_related.sh +++ b/bin/hardening/8.1.31_record_file_transfer_related.sh @@ -5,7 +5,7 @@ # # -# 8.1.34 Collect file transfer related items (Scored) +# 8.1.31 Collect file transfer related items (Scored) # Add by Author : Samson wen, Samson # @@ -14,11 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec --a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec --a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec --a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec' - FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -30,15 +25,21 @@ audit () { IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') - does_valid_pattern_exist_in_file $FILE "$RESULT" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$RESULT is not in file $FILE" - else - ok "$RESULT is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + IFS=$d_IFS + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$RESULT is not in file $FILE" + else + ok "$RESULT is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -48,21 +49,37 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') - does_valid_pattern_exist_in_file $FILE "$RESULT" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done } # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec +-a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec +-a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec +-a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec' + else +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec +-a always,exit -F path=/usr/bin/wget -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec +-a always,exit -F path=/usr/bin/sftp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec +-a always,exit -F path=/usr/bin/curl -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.32_record_ufw_of_debian_like.sh b/bin/hardening/8.1.32_record_ufw_of_debian_like.sh index 2317fb2..4fa87cf 100755 --- a/bin/hardening/8.1.32_record_ufw_of_debian_like.sh +++ b/bin/hardening/8.1.32_record_ufw_of_debian_like.sh @@ -33,14 +33,20 @@ audit () { IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') - does_valid_pattern_exist_in_file $FILE "$RESULT" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$RESULT is not in file $FILE" - else - ok "$RESULT is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + IFS=$d_IFS + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$RESULT is not in file $FILE" + else + ok "$RESULT is present in $FILE" + fi fi done IFS=$d_IFS @@ -55,14 +61,20 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') - does_valid_pattern_exist_in_file $FILE "$RESULT" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done fi diff --git a/bin/hardening/8.1.33_record_iptables_restore_exec.sh b/bin/hardening/8.1.33_record_iptables_restore_exec.sh index 1c8193b..f48dd2f 100755 --- a/bin/hardening/8.1.33_record_iptables_restore_exec.sh +++ b/bin/hardening/8.1.33_record_iptables_restore_exec.sh @@ -27,14 +27,20 @@ audit () { IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') - does_valid_pattern_exist_in_file $FILE "$RESULT" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$RESULT is not in file $FILE" - else - ok "$RESULT is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + IFS=$d_IFS + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$RESULT is not in file $FILE" + else + ok "$RESULT is present in $FILE" + fi fi done IFS=$d_IFS @@ -45,14 +51,20 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') - does_valid_pattern_exist_in_file $FILE "$RESULT" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + does_valid_pattern_exist_in_file $FILE "$RESULT" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done } diff --git a/bin/hardening/8.1.31_record_privileged_commands.sh b/bin/hardening/8.1.34_record_privileged_commands.sh similarity index 89% rename from bin/hardening/8.1.31_record_privileged_commands.sh rename to bin/hardening/8.1.34_record_privileged_commands.sh index d645bd4..623c052 100755 --- a/bin/hardening/8.1.31_record_privileged_commands.sh +++ b/bin/hardening/8.1.34_record_privileged_commands.sh @@ -5,7 +5,7 @@ # # -# 8.1.31 Collect Use of Privileged Commands (Scored) +# 8.1.34 Collect Use of Privileged Commands (Scored) # set -e # One error, it's over @@ -13,10 +13,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -# Find all files with setuid or setgid set -AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ -"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ --k privileged" }') FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -59,7 +55,16 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +# Find all files with setuid or setgid set +AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ +"-a always,exit -F path=" $1 " -F perm=x -k privileged" }') + else +# Find all files with setuid or setgid set +AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ +"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ +-k privileged" }') + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh index c15f805..6e5f1e0 100755 --- a/bin/hardening/8.1.4_record_date_time_edit.sh +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -39,11 +39,17 @@ audit () { fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE ""$AUDIT_VALUE"" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE ""$AUDIT_VALUE"" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS @@ -55,14 +61,20 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE ""$AUDIT_VALUE"" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE ""$AUDIT_VALUE"" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh index 6d848c1..362dfb6 100755 --- a/bin/hardening/8.1.5_record_user_group_edit.sh +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -27,12 +27,18 @@ audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -43,13 +49,19 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh index 38c9af5..9138c43 100755 --- a/bin/hardening/8.1.6_record_network_edit.sh +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -40,12 +40,18 @@ audit () { fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -56,13 +62,19 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index 575698e..7139b80 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -17,23 +17,7 @@ HARDENING_LEVEL=4 SELINUX_PKG="selinux-basics" SELINUX_PKG_CENTOS="selinux-policy" - -SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy --a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy --a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event --a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event" - APPARMOR_PKG="apparmor" -AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy --w /etc/apparmor.d/ -p wa -k MAC-policy --a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy' FILE='/etc/audit/rules.d/audit.rules' @@ -62,11 +46,17 @@ audit () { fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS @@ -94,13 +84,19 @@ apply () { fi for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS @@ -108,7 +104,37 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $DONT_AUDITD_BY_UID -eq 1 ]; then +SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/bin/chcon -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/bin/newrole -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/semanage -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -k MAC_Event +-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -k MAC_Event" +AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy +-a always,exit -F path=/sbin/apparmor_parser -F perm=x -k MAC-policy' +else +SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy +-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event +-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event" +AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy +-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy' + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh index dbbb410..f650021 100755 --- a/bin/hardening/8.1.8_record_login_logout.sh +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -32,11 +32,17 @@ audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS @@ -51,13 +57,19 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh index ac91ac2..32474f1 100755 --- a/bin/hardening/8.1.9_record_session_init.sh +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -31,11 +31,17 @@ audit () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS @@ -50,13 +56,19 @@ apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + warn "path is not exsit! Please check file path is exist!" + continue + else + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi fi done IFS=$d_IFS diff --git a/bin/hardening/8.4.1_install_aide.sh b/bin/hardening/8.4.1_install_aide.sh index 7f0a5b4..1a512c2 100755 --- a/bin/hardening/8.4.1_install_aide.sh +++ b/bin/hardening/8.4.1_install_aide.sh @@ -15,7 +15,7 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 # NB : in CIS, AIDE has been chosen, however we chose tripwire -PACKAGE='aide' +PACKAGE='aide aide-common' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/lib/utils.sh b/lib/utils.sh index b4339c2..12de7ae 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -1141,7 +1141,9 @@ yum_check_updates() # Check path of audit rule is exist, return 0 if path string is not NULL, else return 1 # Example: # Process only the following format: -# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or +# AUDITRULE="-a always,exit -F dir=/home/ -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or +# AUDITRULE="-w /home/ -k privileged-passwd" # Please manually execute apt-file (Debian) / yum Provides (redhat) to ensure that the path already exists in the repository. # example: apt-file search /usr/bin/passwd # freedom-maker: /usr/bin/passwd-in-image @@ -1149,13 +1151,29 @@ yum_check_updates() check_audit_path () { AUDITRULE=$1 - RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') - if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then - debug "File $RESULT is exist!" - FNRET=0 + # Check -w style, for example: "-w /etc/shadow -p wa" "-w /etc/ -p wa" + if [[ $AUDITRULE =~ "-w" ]]; then + RESULT=$(echo $AUDITRULE | awk '{print $2}') + if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then + debug "File $RESULT is exist!" + FNRET=0 + else + warn "File $RESULT is not exist!" + FNRET=1 + fi + # Check -F style, for example: "-a always,exit -F path=/etc/shadow -F perm=wa" "-a always,exit -F dir=/etc/ -F perm=wa" + elif [ $(echo $AUDITRULE | grep -c "\-F.*path=") -eq 1 -o $(echo $AUDITRULE | grep -c "\-F.*dir=") -eq 1 ]; then + RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}') + if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then + debug "File $RESULT is exist!" + FNRET=0 + else + warn "File $RESULT is not exist!" + FNRET=1 + fi else - warn "File $RESULT is not exist!" - FNRET=1 + info "This rule is not including path or dir." + FNRET=0 fi }