Add new method for check audit path is exist, and update 8.1.19

2019-08-13 17:44:31 +08:00 · 2019-08-13 17:44:31 +08:00 · 99cab257b2
parent d0bbbb9cc7
commit 99cab257b2
2 changed files with 53 additions and 21 deletions
--- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh
+++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh
@ -9,13 +9,15 @@
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #

-set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=4

-AUDIT_PARAMS='-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh'
+
+AUDIT_PARAMS="-a always,exit -F path=$(find / -name "ssh-keysign") -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
+-a always,exit -F path=$(which sshd-agent 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
+
+set -e # One error, it's over

 FILE='/etc/audit/rules.d/audit.rules'

@ -26,15 +28,22 @@ audit () {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        IFS=$d_IFS
-        does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
-        IFS=$c_IFS
-        if [ $FNRET != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
+		check_audit_path $AUDIT_VALUE 
+		if [ $FNRET -eq 1 ];then
+			crit "path is not exsit! Please check file path is exist!"
+			continue
+		else
+			info "path is exsit!"
+        	debug "$AUDIT_VALUE should be in file $FILE"
+        	IFS=$d_IFS
+        	does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
+        	IFS=$c_IFS
+        	if [ $FNRET != 0 ]; then
+            	crit "$AUDIT_VALUE is not in file $FILE"
+        	else
+            	ok "$AUDIT_VALUE is present in $FILE"
+        	fi
+		fi
    done
    IFS=$d_IFS
 }
@ -43,15 +52,22 @@ audit () {
 apply () {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
-        if [ $FNRET != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
-            add_end_of_file $FILE $AUDIT_VALUE
-            check_auditd_is_immutable_mode
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
-        fi
+		check_audit_path $AUDIT_VALUE 
+		if [ $FNRET -eq 1 ];then
+			crit "path is not exsit! Please check file path is exist!"
+			continue
+		else
+			info "path is exsit!"
+        	debug "$AUDIT_VALUE should be in file $FILE"
+        	does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
+        	if [ $FNRET != 0 ]; then
+            	warn "$AUDIT_VALUE is not in file $FILE, adding it"
+            	add_end_of_file $FILE $AUDIT_VALUE
+            	check_auditd_is_immutable_mode
+        	else
+            	ok "$AUDIT_VALUE is present in $FILE"
+        	fi
+		fi
    done
 }

--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -955,3 +955,19 @@ yum_check_updates()
    fi
 }

+# Check path of audit rule is exist, return 0 if path string is not NULL, else return 1 
+# Example: 
+# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
+check_audit_path ()
+{
+	AUDITRULE=$1
+	RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
+	if [ -z $(eval echo $RESULT) ]; then
+		debug "Result is NULL"
+		FNRET=1
+	else
+		debug "Result is not NULL"
+		FNRET=0
+	fi
+}
+