tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix some bugs.

This commit is contained in:
samson 2018-12-05 16:06:35 +08:00
parent f2ebec8e38
commit d45ddb82f7
3 changed files with 45 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
bin/hardening/10.1.7_remove_nopasswd_sudoers.sh
View File

@ -22,6 +22,11 @@ INCLUDFILE='/etc/sudoers.d/*'
# This function will be called if the script status is on enabled / audit mode
audit ()
{
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE is not exist!"
FNRET=2
else
does_pattern_exist_in_file $FILE $NOPASSWD
if [ $FNRET = 0 ]; then
crit "$NOPASSWD is set on $FILE, it's error conf"
@ -36,6 +41,7 @@ audit ()
FNRET=0
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
@ -46,6 +52,8 @@ apply () {
info "$NOPASSWD is set on the $FILE or $INCLUDFILE, need remove"
backup_file $FILE $INCLUDFILE
chmod 640 $FILE $INCLUDFILE && sed -i -e "s/$NOPASSWD/$PASSWD/g" $FILE $INCLUDFILE && chmod 440 $FILE $INCLUDFILE
elif [ $FNRET = 2 ]; then
warn "$FILE is not exist! Maybe sudo package not installed."
fi
}

8
bin/hardening/10.1.8_remove_noauthenticate_sudoers.sh
View File

@ -22,6 +22,11 @@ INCLUDFILE='/etc/sudoers.d/*'
# This function will be called if the script status is on enabled / audit mode
audit ()
{
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE is not exist!"
FNRET=2
else
does_pattern_exist_in_file $FILE $NOAUTH
if [ $FNRET = 0 ]; then
crit "$NOAUTH is set on $FILE, it's error conf"
@ -36,6 +41,7 @@ audit ()
FNRET=0
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
@ -46,6 +52,8 @@ apply () {
info "$NOAUTH is set on the $FILE or $INCLUDFILE, need remove"
backup_file $FILE $INCLUDFILE
chmod 640 $FILE $INCLUDFILE && sed -i -e "s/$NOAUTH/$AUTHENTICATE/g" $FILE $INCLUDFILE && chmod 440 $FILE $INCLUDFILE
elif [ $FNRET = 1 ]; then
warn "$FILE is not exist! Maybe sudo package not installed."
fi
}

3
bin/hardening/8.1.12_record_privileged_commands.sh
View File

@ -14,8 +14,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Find all files with setuid or setgid set
SUDO_CMD='sudo -n'
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
-k privileged" }')
FILE='/etc/audit/rules.d/audit.rules'