tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-31 01:24:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix some bugs for auditd record

Browse Source
This commit is contained in:
Samson-W 2019-09-10 18:15:18 +08:00
parent 6e7bef7a9d
commit d75c1accd8
7 changed files with 67 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
bin/hardening/8.1.19_record_sshkeysign_usage.sh
View File

@ -13,17 +13,15 @@ set -u # One variable unset, it's over
set -e # One error, it's over set -e # One error, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
fi
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
# define custom IFS and save default one # define custom IFS and save default one
@ -74,7 +72,11 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

16
bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh
View File

@ -13,20 +13,18 @@ set -u # One variable unset, it's over
set -e # One error, it's over set -e # One error, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
elif [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
fi
FILE='/etc/audit/rules.d/audit.rules' AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -78,7 +76,11 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

16
bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh
View File

@ -13,24 +13,22 @@ set -u # One variable unset, it's over
set -e # One error, it's over set -e # One error, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules'
if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
elif [ $OS_RELEASE -eq 2 ]; then AUDIT_PARAMS_REDHAT="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" -a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
fi
FILE='/etc/audit/rules.d/audit.rules' AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -82,7 +80,11 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

22
bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh
View File

@ -13,17 +13,15 @@ set -u # One variable unset, it's over
set -e # One error, it's over set -e # One error, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
if [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
fi
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
AUDIT_PARAMS=""
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
# define custom IFS and save default one # define custom IFS and save default one
@ -74,7 +72,11 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

14
bin/hardening/8.1.24_record_crontab_cmd_usage.sh
View File

@ -15,11 +15,9 @@ HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' AUDIT_PARAMS_REDHAT='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
elif [ $OS_RELEASE -eq 2 ]; then AUDIT_PARAMS=""
AUDIT_PARAMS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
fi
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -71,7 +69,11 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

15
bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh
View File

@ -14,11 +14,10 @@ set -e # One error, it's over
HARDENING_LEVEL=4 HARDENING_LEVEL=4
FILE='/etc/audit/rules.d/audit.rules' FILE='/etc/audit/rules.d/audit.rules'
if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
elif [ $OS_RELEASE -eq 2 ]; then AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' AUDIT_PARAMS=""
fi
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -70,7 +69,11 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter

14
bin/hardening/8.1.29_record_usermod_cmd_usage.sh
View File

@ -15,11 +15,9 @@ FILE='/etc/audit/rules.d/audit.rules'
HARDENING_LEVEL=4 HARDENING_LEVEL=4
if [ $OS_RELEASE -eq 1 ]; then AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
elif [ $OS_RELEASE -eq 2 ]; then AUDIT_PARAMS=""
AUDIT_PARAMS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
fi
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit () { audit () {
@ -71,7 +69,11 @@ apply () {
# This function will check config parameters required # This function will check config parameters required
check_config() { check_config() {
: if [ $OS_RELEASE -eq 1 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
elif [ $OS_RELEASE -eq 2 ]; then
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
fi
} }
# Source Root Dir Parameter # Source Root Dir Parameter