Fix some bugs for auditd record
This commit is contained in:
Samson-W
parent
6e7bef7a9d
commit
d75c1accd8
|
|
@ -13,17 +13,15 @@ set -u # One variable unset, it's over
|
|||
set -e # One error, it's over
|
||||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
fi
|
||||
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
|
||||
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh"
|
||||
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
# define custom IFS and save default one
|
||||
|
|
@ -74,7 +72,11 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -13,20 +13,18 @@ set -u # One variable unset, it's over
|
|||
set -e # One error, it's over
|
||||
|
||||
HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
|
||||
elif [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
|
||||
-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
|
||||
fi
|
||||
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
@ -78,7 +76,11 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -13,24 +13,22 @@ set -u # One variable unset, it's over
|
|||
set -e # One error, it's over
|
||||
|
||||
HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
AUDIT_PARAMS_REDHAT="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
|
||||
-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change"
|
||||
fi
|
||||
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
@ -82,7 +80,11 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -13,17 +13,15 @@ set -u # One variable unset, it's over
|
|||
set -e # One error, it's over
|
||||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
if [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
fi
|
||||
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
|
||||
-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix'
|
||||
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
# define custom IFS and save default one
|
||||
|
|
@ -74,7 +72,11 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -15,11 +15,9 @@ HARDENING_LEVEL=4
|
|||
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
fi
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
@ -71,7 +69,11 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -14,11 +14,10 @@ set -e # One error, it's over
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
FILE='/etc/audit/rules.d/audit.rules'
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
fi
|
||||
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
@ -70,7 +69,11 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
|
|
@ -15,11 +15,9 @@ FILE='/etc/audit/rules.d/audit.rules'
|
|||
|
||||
HARDENING_LEVEL=4
|
||||
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
fi
|
||||
AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod'
|
||||
AUDIT_PARAMS=""
|
||||
|
||||
# This function will be called if the script status is on enabled / audit mode
|
||||
audit () {
|
||||
|
|
@ -71,7 +69,11 @@ apply () {
|
|||
|
||||
# This function will check config parameters required
|
||||
check_config() {
|
||||
:
|
||||
if [ $OS_RELEASE -eq 1 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN
|
||||
elif [ $OS_RELEASE -eq 2 ]; then
|
||||
AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT
|
||||
fi
|
||||
}
|
||||
|
||||
# Source Root Dir Parameter
|
||||
|
|
|
|||
Loading…
Reference in New Issue