tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #24 from Samson-W/master

Browse Source 
Modify auditd related check items to apply -dont-auditd-by-uid and check_audit_path.
This commit is contained in:
Samson.W 2021-06-22 21:51:36 +08:00 committed by GitHub
commit 8a02a3638c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 599 additions and 301 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
bin/hardening.sh
View File

@ -91,9 +91,9 @@ $LONG_SCRIPT_NAME <RUN_MODE> [OPTIONS], where RUN_MODE is one of:
password strength and robustness;
2. Aide reinitializes.
--dont-auditd-by-uid
--dont-auditd-by-uid <1/0>
Auditd rules do not use uid parameter, for all user to auditd. If set 1 will not use uid, else if
set 0 will use uid.
set 0 will use uid. Default is 0.
OPTIONS:
@ -185,6 +185,9 @@ if [ -z "$CIS_ROOT_DIR" ]; then
fi
# For --dont-auditd-by-uid
if [ -z "$DONT_BY_UID_G_CONFIG" ]; then
usage
else
if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then
if [ $DONT_BY_UID_G_CONFIG -eq 1 ]; then
echo "Set dont use uid for auditd rules"
@ -195,14 +198,13 @@ if [ $DONT_BY_UID_G_CONFIG -ne 127 ]; then
fi
exit 0
fi
fi
[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh
[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg
[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh
[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh
# For --init
if [ $INIT_G_CONFIG -eq 1 ]; then
if [ -r /etc/redhat-release ]; then

43
bin/hardening/8.1.10_record_dac_edit.sh
View File

@ -14,15 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -38,12 +29,18 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -54,6 +51,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
@ -62,13 +64,34 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k perm_mod'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
fi
}
# Source Root Dir Parameter

22
bin/hardening/8.1.11_record_failed_access_file.sh
View File

@ -14,12 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -65,7 +59,21 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -k access'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
fi
}
# Source Root Dir Parameter

14
bin/hardening/8.1.13_record_successful_mount.sh
View File

@ -14,10 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -63,7 +59,15 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -k mounts
-a always,exit -F arch=b32 -S mount -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -k mounts'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
fi
}
# Source Root Dir Parameter

13
bin/hardening/8.1.14_record_file_deletions.sh
View File

@ -14,9 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -63,7 +60,15 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -k delete'
else
ARCH64_AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
ARCH32_AUDIT_PARAMS='-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete'
fi
}
# Source Root Dir Parameter

12
bin/hardening/8.1.15_record_sudoers_edit.sh
View File

@ -24,12 +24,18 @@ audit () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -40,6 +46,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
@ -48,6 +59,7 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}

11
bin/hardening/8.1.16_record_sudo_usage.sh
View File

@ -22,13 +22,18 @@ audit () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
FNRET=1
FNRET=2
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
IFS=$d_IFS
}
@ -37,10 +42,12 @@ apply () {
# define custom IFS and save default one
d_IFS=$IFS
IFS=$'\n'
if [ $FNRET = 1 ]; then
if [ $FNRET = 2 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
elif [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
else
ok "$AUDIT_VALUE is present in $FILE"
fi

12
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -41,12 +41,18 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -57,6 +63,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
@ -65,6 +76,7 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}

17
bin/hardening/8.1.18_record_Events_netfilter.sh
View File

@ -14,11 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -69,7 +64,17 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /usr/sbin/netfilter-persistent -p x -k nft_persistent_use
-w /usr/sbin/nft -p x -k nft_cmd_use'
else
AUDIT_PARAMS='-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /usr/sbin/netfilter-persistent -p x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-w /usr/sbin/nft -p x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use'
fi
}
# Source Root Dir Parameter

17
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -15,11 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -72,6 +67,18 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -k privileged-ssh"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

10
bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh
View File

@ -14,8 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -56,7 +54,13 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -k access'
else
AUDIT_PARAMS='-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access'
fi
}
# Source Root Dir Parameter

29
bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
View File

@ -15,15 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -76,6 +67,26 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -k privileged-passwd"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

41
bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
View File

@ -15,19 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -80,6 +67,34 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -k privileged-priv_change"
else
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
AUDIT_PARAMS_CENTOS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

17
bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
View File

@ -15,11 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -72,6 +67,18 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -k privileged-postfix'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

10
bin/hardening/8.1.24_record_crontab_cmd_usage.sh
View File

@ -15,8 +15,6 @@ HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -69,6 +67,14 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -k privileged-cron'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

10
bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh
View File

@ -15,8 +15,6 @@ set -e # One error, it's over
HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -69,6 +67,14 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -k privileged-pam'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

11
bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
View File

@ -15,9 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
# This function will be called if the script status is on enabled / audit mode
audit () {
# This feature is only for debian
@ -78,7 +75,13 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -k privileged-pam'
else
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
fi
}
# Source Root Dir Parameter

11
bin/hardening/8.1.28_record_acl_cmd_usage.sh
View File

@ -16,9 +16,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -69,7 +66,13 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -k perm_chng'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
fi
}
# Source Root Dir Parameter

10
bin/hardening/8.1.29_record_usermod_cmd_usage.sh
View File

@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode
@ -69,6 +67,14 @@ apply () {
# This function will check config parameters required
check_config() {
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -k privileged-usermod'
else
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS_CENTOS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
fi
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then

8
bin/hardening/8.1.30_record_unix_update_cmd_usage.sh
View File

@ -15,8 +15,6 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
# This function will be called if the script status is on enabled / audit mode
audit () {
# define custom IFS and save default one
@ -67,7 +65,11 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -k privileged-unix-update'
else
AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update'
fi
}
# Source Root Dir Parameter

31
bin/hardening/8.1.34_record_file_transfer_related.sh → bin/hardening/8.1.31_record_file_transfer_related.sh
View File

@ -5,7 +5,7 @@
#
#
# 8.1.34 Collect file transfer related items (Scored)
# 8.1.31 Collect file transfer related items (Scored)
# Add by Author : Samson wen, Samson <sccxboy@gmail.com>
#
@ -14,11 +14,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -30,6 +25,11 @@ audit () {
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
@ -39,6 +39,7 @@ audit () {
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -48,6 +49,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
@ -57,12 +63,23 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -k file_transfer_exec'
else
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/scp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/wget -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/sftp -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec
-a always,exit -F path=/usr/bin/curl -F perm=x -F auid>=1000 -F auid!=4294967295 -k file_transfer_exec'
fi
}
# Source Root Dir Parameter

12
bin/hardening/8.1.32_record_ufw_of_debian_like.sh
View File

@ -33,6 +33,11 @@ audit () {
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
@ -42,6 +47,7 @@ audit () {
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
fi
@ -55,6 +61,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
@ -64,6 +75,7 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
fi
}

12
bin/hardening/8.1.33_record_iptables_restore_exec.sh
View File

@ -27,6 +27,11 @@ audit () {
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
IFS=$d_IFS
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
@ -36,6 +41,7 @@ audit () {
else
ok "$RESULT is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -45,6 +51,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
RESULT=$(echo $AUDIT_VALUE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
does_valid_pattern_exist_in_file $FILE "$RESULT"
if [ $FNRET != 0 ]; then
@ -54,6 +65,7 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
}

17
bin/hardening/8.1.31_record_privileged_commands.sh → bin/hardening/8.1.34_record_privileged_commands.sh
View File

@ -5,7 +5,7 @@
#
#
# 8.1.31 Collect Use of Privileged Commands (Scored)
# 8.1.34 Collect Use of Privileged Commands (Scored)
#
set -e # One error, it's over
@ -13,10 +13,6 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
-k privileged" }')
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
@ -59,7 +55,16 @@ apply () {
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -k privileged" }')
else
# Find all files with setuid or setgid set
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
-k privileged" }')
fi
}
# Source Root Dir Parameter

12
bin/hardening/8.1.4_record_date_time_edit.sh
View File

@ -39,12 +39,18 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE ""$AUDIT_VALUE""
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -55,6 +61,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE ""$AUDIT_VALUE""
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
@ -63,6 +74,7 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}

12
bin/hardening/8.1.5_record_user_group_edit.sh
View File

@ -27,12 +27,18 @@ audit () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -43,6 +49,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
@ -51,6 +62,7 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}

12
bin/hardening/8.1.6_record_network_edit.sh
View File

@ -40,12 +40,18 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -56,6 +62,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
@ -64,6 +75,7 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}

60
bin/hardening/8.1.7_record_mac_edit.sh
View File

@ -17,23 +17,7 @@ HARDENING_LEVEL=4
SELINUX_PKG="selinux-basics"
SELINUX_PKG_CENTOS="selinux-policy"
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event"
APPARMOR_PKG="apparmor"
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
FILE='/etc/audit/rules.d/audit.rules'
@ -62,12 +46,18 @@ audit () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -94,6 +84,11 @@ apply () {
fi
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
@ -102,13 +97,44 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
# This function will check config parameters required
check_config() {
:
if [ $DONT_AUDITD_BY_UID -eq 1 ]; then
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/bin/chcon -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/bin/newrole -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -k MAC_Event
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -k MAC_Event"
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -k MAC-policy'
else
SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
-a always,exit -F path=/usr/bin/audit2allow -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/chcon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/bin/newrole -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/semanage -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setsebool -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/restorecon -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/fixfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setenforce -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event
-a always,exit -F path=/usr/sbin/setfiles -F perm=wax -F auid>=1000 -F auid!=4294967295 -k MAC_Event"
AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'
fi
}
# Source Root Dir Parameter

12
bin/hardening/8.1.8_record_login_logout.sh
View File

@ -32,12 +32,18 @@ audit () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -51,6 +57,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
@ -59,6 +70,7 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}

12
bin/hardening/8.1.9_record_session_init.sh
View File

@ -31,12 +31,18 @@ audit () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}
@ -50,6 +56,11 @@ apply () {
IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
warn "path is not exsit! Please check file path is exist!"
continue
else
does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
@ -58,6 +69,7 @@ apply () {
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done
IFS=$d_IFS
}

2
bin/hardening/8.4.1_install_aide.sh
View File

@ -15,7 +15,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
# NB : in CIS, AIDE has been chosen, however we chose tripwire
PACKAGE='aide'
PACKAGE='aide aide-common'
# This function will be called if the script status is on enabled / audit mode
audit () {

20
lib/utils.sh
View File

@ -1141,7 +1141,9 @@ yum_check_updates()
# Check path of audit rule is exist, return 0 if path string is not NULL, else return 1
# Example:
# Process only the following format:
# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or
# AUDITRULE="-a always,exit -F dir=/home/ -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or
# AUDITRULE="-w /home/ -k privileged-passwd"
# Please manually execute apt-file (Debian) / yum Provides (redhat) to ensure that the path already exists in the repository.
# example: apt-file search /usr/bin/passwd
# freedom-maker: /usr/bin/passwd-in-image
@ -1149,6 +1151,18 @@ yum_check_updates()
check_audit_path ()
{
AUDITRULE=$1
# Check -w style, for example: "-w /etc/shadow -p wa" "-w /etc/ -p wa"
if [[ $AUDITRULE =~ "-w" ]]; then
RESULT=$(echo $AUDITRULE | awk '{print $2}')
if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then
debug "File $RESULT is exist!"
FNRET=0
else
warn "File $RESULT is not exist!"
FNRET=1
fi
# Check -F style, for example: "-a always,exit -F path=/etc/shadow -F perm=wa" "-a always,exit -F dir=/etc/ -F perm=wa"
elif [ $(echo $AUDITRULE | grep -c "\-F.*path=") -eq 1 -o $(echo $AUDITRULE | grep -c "\-F.*dir=") -eq 1 ]; then
RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
if [ -f $(eval echo $RESULT) -o -d $(eval echo $RESULT) ]; then
debug "File $RESULT is exist!"
@ -1157,6 +1171,10 @@ check_audit_path ()
warn "File $RESULT is not exist!"
FNRET=1
fi
else
info "This rule is not including path or dir."
FNRET=0
fi
}
# For CentOS 8