From d3cbebb7e62b8d14a957f6582cb9b984774e46df Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 13 Aug 2019 17:55:55 +0800 Subject: [PATCH] modify 8.1.17~8.1.22 to be compatible with CentOS --- bin/hardening/8.1.17_record_kernel_modules.sh | 2 +- bin/hardening/8.1.18_freeze_auditd_conf.sh | 2 +- .../8.1.19_record_sshkeysign_usage.sh | 2 - ...8.1.20_record_open_by_handle_at_syscall.sh | 2 +- ...Events_that_privileged_passwd_cmd_usage.sh | 60 ++++++++++------- ...s_that_privileged_priv_change_cmd_usage.sh | 64 +++++++++++-------- lib/utils.sh | 1 + 7 files changed, 78 insertions(+), 55 deletions(-) diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index a9e2f6b..b00ef48 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index 6bb5876..e917924 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9 or CentOS Hardening # # diff --git a/bin/hardening/8.1.19_record_sshkeysign_usage.sh b/bin/hardening/8.1.19_record_sshkeysign_usage.sh index 8c2a3ac..b2b2688 100755 --- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh +++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh @@ -33,7 +33,6 @@ audit () { crit "path is not exsit! Please check file path is exist!" continue else - info "path is exsit!" debug "$AUDIT_VALUE should be in file $FILE" IFS=$d_IFS does_pattern_exist_in_file $FILE "$AUDIT_VALUE" @@ -57,7 +56,6 @@ apply () { crit "path is not exsit! Please check file path is exist!" continue else - info "path is exsit!" debug "$AUDIT_VALUE should be in file $FILE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE" if [ $FNRET != 0 ]; then diff --git a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh index c0b5aab..6b2fc0f 100755 --- a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh +++ b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # diff --git a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh index fc08318..242f564 100755 --- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh +++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,16 +9,16 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd' +AUDIT_PARAMS="-a always,exit -F path=$(which passwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=$(which unix_chkpwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=$(which gpasswd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=$(which chage 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -28,15 +28,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -45,15 +51,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh index dfcfd93..229fac8 100755 --- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh +++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh @@ -1,7 +1,7 @@ #!/bin/bash # -# harbian audit 7/8/9 Hardening +# harbian audit 7/8/9/10 or CentOS Hardening # # @@ -9,18 +9,18 @@ # Author : Samson wen, Samson # -set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change' +AUDIT_PARAMS="-a always,exit -F path=$(which su 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which sudo 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which newgrp 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which chsh 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which sudoedit 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=$(which chfn 2>/dev/null) -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" +set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode @@ -30,15 +30,21 @@ audit () { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done IFS=$d_IFS } @@ -47,15 +53,21 @@ audit () { apply () { IFS=$'\n' for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi done } diff --git a/lib/utils.sh b/lib/utils.sh index cc188ac..09e5dec 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -957,6 +957,7 @@ yum_check_updates() # Check path of audit rule is exist, return 0 if path string is not NULL, else return 1 # Example: +# Process only the following format: # AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" check_audit_path () {