tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-30 09:06:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

modify 8.1.17~8.1.22 to be compatible with CentOS

Browse Source
This commit is contained in:
Samson-W 2019-08-13 17:55:55 +08:00
parent 99cab257b2
commit d3cbebb7e6
7 changed files with 78 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bin/hardening/8.1.17_record_kernel_modules.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.18_freeze_auditd_conf.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9 or CentOS Hardening
# #
# #

2
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -33,7 +33,6 @@ audit () {
crit "path is not exsit! Please check file path is exist!" crit "path is not exsit! Please check file path is exist!"
continue continue
else else
info "path is exsit!"
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
IFS=$d_IFS IFS=$d_IFS
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
@ -57,7 +56,6 @@ apply () {
crit "path is not exsit! Please check file path is exist!" crit "path is not exsit! Please check file path is exist!"
continue continue
else else
info "path is exsit!"
debug "$AUDIT_VALUE should be in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
if [ $FNRET != 0 ]; then if [ $FNRET != 0 ]; then

2
bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #

60
bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #
@ -9,16 +9,16 @@
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <sccxboy@gmail.com>
# #
set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd AUDIT_PARAMS="-a always,exit -F path=$(which passwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=$(which unix_chkpwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=$(which gpasswd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd' -a always,exit -F path=$(which chage 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -28,15 +28,21 @@ audit () {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" check_audit_path $AUDIT_VALUE
IFS=$d_IFS if [ $FNRET -eq 1 ];then
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" crit "path is not exsit! Please check file path is exist!"
IFS=$c_IFS continue
if [ $FNRET != 0 ]; then else
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
else IFS=$d_IFS
ok "$AUDIT_VALUE is present in $FILE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
fi IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done done
IFS=$d_IFS IFS=$d_IFS
} }
@ -45,15 +51,21 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" check_audit_path $AUDIT_VALUE
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" if [ $FNRET -eq 1 ];then
if [ $FNRET != 0 ]; then crit "path is not exsit! Please check file path is exist!"
warn "$AUDIT_VALUE is not in file $FILE, adding it" continue
add_end_of_file $FILE $AUDIT_VALUE else
check_auditd_is_immutable_mode debug "$AUDIT_VALUE should be in file $FILE"
else does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
ok "$AUDIT_VALUE is present in $FILE" if [ $FNRET != 0 ]; then
fi warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done done
} }

64
bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# harbian audit 7/8/9 Hardening # harbian audit 7/8/9/10 or CentOS Hardening
# #
# #
@ -9,18 +9,18 @@
# Author : Samson wen, Samson <sccxboy@gmail.com> # Author : Samson wen, Samson <sccxboy@gmail.com>
# #
set -e # One error, it's over
set -u # One variable unset, it's over set -u # One variable unset, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
AUDIT_PARAMS='-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change AUDIT_PARAMS="-a always,exit -F path=$(which su 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=$(which sudo 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=$(which newgrp 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=$(which chsh 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=$(which sudoedit 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change' -a always,exit -F path=$(which chfn 2>/dev/null) -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
set -e # One error, it's over
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
@ -30,15 +30,21 @@ audit () {
c_IFS=$'\n' c_IFS=$'\n'
IFS=$c_IFS IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" check_audit_path $AUDIT_VALUE
IFS=$d_IFS if [ $FNRET -eq 1 ];then
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" crit "path is not exsit! Please check file path is exist!"
IFS=$c_IFS continue
if [ $FNRET != 0 ]; then else
crit "$AUDIT_VALUE is not in file $FILE" debug "$AUDIT_VALUE should be in file $FILE"
else IFS=$d_IFS
ok "$AUDIT_VALUE is present in $FILE" does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
fi IFS=$c_IFS
if [ $FNRET != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done done
IFS=$d_IFS IFS=$d_IFS
} }
@ -47,15 +53,21 @@ audit () {
apply () { apply () {
IFS=$'\n' IFS=$'\n'
for AUDIT_VALUE in $AUDIT_PARAMS; do for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE" check_audit_path $AUDIT_VALUE
does_pattern_exist_in_file $FILE "$AUDIT_VALUE" if [ $FNRET -eq 1 ];then
if [ $FNRET != 0 ]; then crit "path is not exsit! Please check file path is exist!"
warn "$AUDIT_VALUE is not in file $FILE, adding it" continue
add_end_of_file $FILE $AUDIT_VALUE else
check_auditd_is_immutable_mode debug "$AUDIT_VALUE should be in file $FILE"
else does_pattern_exist_in_file $FILE "$AUDIT_VALUE"
ok "$AUDIT_VALUE is present in $FILE" if [ $FNRET != 0 ]; then
fi warn "$AUDIT_VALUE is not in file $FILE, adding it"
add_end_of_file $FILE $AUDIT_VALUE
check_auditd_is_immutable_mode
else
ok "$AUDIT_VALUE is present in $FILE"
fi
fi
done done
} }

1
lib/utils.sh
View File

@ -957,6 +957,7 @@ yum_check_updates()
# Check path of audit rule is exist, return 0 if path string is not NULL, else return 1 # Check path of audit rule is exist, return 0 if path string is not NULL, else return 1
# Example: # Example:
# Process only the following format:
# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" # AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
check_audit_path () check_audit_path ()
{ {