tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

modify 8.1.17~8.1.22 to be compatible with CentOS

Browse Source
This commit is contained in:
Samson-W 2019-08-13 17:55:55 +08:00
parent 99cab257b2
commit d3cbebb7e6
7 changed files with 78 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.18_freeze_auditd_conf.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -33,7 +33,6 @@ audit () {
crit "path is not exsit! Please check file path is exist!" crit "path is not exsit! Please check file path is exist!"
continue continue
else else
info "path is exsit!"
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
@ -57,7 +56,6 @@ apply () {
crit "path is not exsit! Please check file path is exist!" crit "path is not exsit! Please check file path is exist!"
continue continue
else else
info "path is exsit!"
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then

2
bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

24
bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #
@ -9,16 +9,16 @@
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <sccxboy@gmail.com>
# #
set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd AUDIT_PARAMS="-a always,exit -F path=$(which passwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=$(which unix_chkpwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=$(which gpasswd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd' -a always,exit -F path=$(which chage 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -28,6 +28,11 @@ audit () {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
@ -37,6 +42,7 @@ audit () {
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
fi
done done
IFS=$d_IFS IFS=$d_IFS
} }
@ -45,6 +51,11 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
@ -54,6 +65,7 @@ apply () {
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
fi
done done
} }

28
bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #
@ -9,18 +9,18 @@
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <sccxboy@gmail.com>
# #
set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change AUDIT_PARAMS="-a always,exit -F path=$(which su 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=$(which sudo 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=$(which newgrp 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=$(which chsh 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=$(which sudoedit 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change' -a always,exit -F path=$(which chfn 2>/dev/null) -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -30,6 +30,11 @@ audit () {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
@ -39,6 +44,7 @@ audit () {
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
fi
done done
IFS=$d_IFS IFS=$d_IFS
} }
@ -47,6 +53,11 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
check_audit_path $AUDIT_VALUE
if [ $FNRET -eq 1 ];then
crit "path is not exsit! Please check file path is exist!"
continue
else
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then
@ -56,6 +67,7 @@ apply () {
else else
ok "$AUDIT_VALUE is present in $FILE" ok "$AUDIT_VALUE is present in $FILE"
fi fi
fi
done done
} }

1
lib/utils.sh
View File

@ -957,6 +957,7 @@ yum_check_updates()
# Check path of audit rule is exist, return 0 if path string is not NULL, else return 1 # Check path of audit rule is exist, return 0 if path string is not NULL, else return 1
# Example: # Example:
# Process only the following format:
# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" # AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
check_audit_path () check_audit_path ()
{ {