Fix some bugs.

This commit is contained in:
samson 2018-12-05 16:06:35 +08:00
parent f2ebec8e38
commit d45ddb82f7
3 changed files with 45 additions and 30 deletions

View File

@ -22,20 +22,26 @@ INCLUDFILE='/etc/sudoers.d/*'
# This function will be called if the script status is on enabled / audit mode
audit ()
{
does_pattern_exist_in_file $FILE $NOPASSWD
if [ $FNRET = 0 ]; then
crit "$NOPASSWD is set on $FILE, it's error conf"
FNRET=1
else
ok "$NOPASSWD is not set on $FILE, it's ok"
if [ $(grep -c $NOPASSWD $INCLUDFILE) -gt 0 ]; then
crit "$NOPASSWD is set on $INCLUDFILE, it's error conf"
FNRET=1
else
ok "$NOPASSWD is not set on $INCLUDFILE, it's ok"
FNRET=0
fi
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE is not exist!"
FNRET=2
else
does_pattern_exist_in_file $FILE $NOPASSWD
if [ $FNRET = 0 ]; then
crit "$NOPASSWD is set on $FILE, it's error conf"
FNRET=1
else
ok "$NOPASSWD is not set on $FILE, it's ok"
if [ $(grep -c $NOPASSWD $INCLUDFILE) -gt 0 ]; then
crit "$NOPASSWD is set on $INCLUDFILE, it's error conf"
FNRET=1
else
ok "$NOPASSWD is not set on $INCLUDFILE, it's ok"
FNRET=0
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
@ -46,6 +52,8 @@ apply () {
info "$NOPASSWD is set on the $FILE or $INCLUDFILE, need remove"
backup_file $FILE $INCLUDFILE
chmod 640 $FILE $INCLUDFILE && sed -i -e "s/$NOPASSWD/$PASSWD/g" $FILE $INCLUDFILE && chmod 440 $FILE $INCLUDFILE
elif [ $FNRET = 2 ]; then
warn "$FILE is not exist! Maybe sudo package not installed."
fi
}

View File

@ -22,20 +22,26 @@ INCLUDFILE='/etc/sudoers.d/*'
# This function will be called if the script status is on enabled / audit mode
audit ()
{
does_pattern_exist_in_file $FILE $NOAUTH
if [ $FNRET = 0 ]; then
crit "$NOAUTH is set on $FILE, it's error conf"
FNRET=1
else
ok "$NOAUTH is not set on $FILE, it's ok"
if [ $(grep -c $NOAUTH $INCLUDFILE) -gt 0 ]; then
crit "$NOAUTH is set on $INCLUDFILE, it's error conf"
FNRET=1
else
ok "$NOAUTH is not set on $INCLUDFILE, it's ok"
FNRET=0
fi
fi
does_file_exist $FILE
if [ $FNRET != 0 ]; then
crit "$FILE is not exist!"
FNRET=2
else
does_pattern_exist_in_file $FILE $NOAUTH
if [ $FNRET = 0 ]; then
crit "$NOAUTH is set on $FILE, it's error conf"
FNRET=1
else
ok "$NOAUTH is not set on $FILE, it's ok"
if [ $(grep -c $NOAUTH $INCLUDFILE) -gt 0 ]; then
crit "$NOAUTH is set on $INCLUDFILE, it's error conf"
FNRET=1
else
ok "$NOAUTH is not set on $INCLUDFILE, it's ok"
FNRET=0
fi
fi
fi
}
# This function will be called if the script status is on enabled mode
@ -46,6 +52,8 @@ apply () {
info "$NOAUTH is set on the $FILE or $INCLUDFILE, need remove"
backup_file $FILE $INCLUDFILE
chmod 640 $FILE $INCLUDFILE && sed -i -e "s/$NOAUTH/$AUTHENTICATE/g" $FILE $INCLUDFILE && chmod 440 $FILE $INCLUDFILE
elif [ $FNRET = 1 ]; then
warn "$FILE is not exist! Maybe sudo package not installed."
fi
}

View File

@ -14,8 +14,7 @@ set -u # One variable unset, it's over
HARDENING_LEVEL=4
# Find all files with setuid or setgid set
SUDO_CMD='sudo -n'
AUDIT_PARAMS=$($SUDO_CMD find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \
"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \
-k privileged" }')
FILE='/etc/audit/rules.d/audit.rules'