From e3a7b267d59a352e62d6717e8b176c0d01d38d84 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Sat, 18 May 2019 04:53:05 +0800 Subject: [PATCH] Apply check_audit_is_immutable_mode method for auditd rules check item. --- bin/hardening/8.1.10_record_dac_edit.sh | 2 +- bin/hardening/8.1.11_record_failed_access_file.sh | 2 +- bin/hardening/8.1.12_record_privileged_commands.sh | 2 +- bin/hardening/8.1.13_record_successful_mount.sh | 2 +- bin/hardening/8.1.14_record_file_deletions.sh | 2 +- bin/hardening/8.1.15_record_sudoers_edit.sh | 2 +- bin/hardening/8.1.16_record_sudo_usage.sh | 4 ++-- bin/hardening/8.1.17_record_kernel_modules.sh | 2 +- bin/hardening/8.1.18_freeze_auditd_conf.sh | 2 +- bin/hardening/8.1.19_record_sshkeysign_usage.sh | 2 +- bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh | 2 +- .../8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh | 2 +- ....22_record_Events_that_privileged_priv_change_cmd_usage.sh | 2 +- .../8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh | 2 +- bin/hardening/8.1.24_record_crontab_cmd_usage.sh | 2 +- bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh | 2 +- bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh | 2 +- bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh | 2 +- bin/hardening/8.1.28_record_acl_cmd_usage.sh | 2 +- bin/hardening/8.1.29_record_usermod_cmd_usage.sh | 2 +- bin/hardening/8.1.30_record_unix_update_cmd_usage.sh | 2 +- bin/hardening/8.1.31_record_syscall_execve.sh | 2 +- bin/hardening/8.1.4_record_date_time_edit.sh | 2 +- bin/hardening/8.1.5_record_user_group_edit.sh | 2 +- bin/hardening/8.1.6_record_network_edit.sh | 2 +- bin/hardening/8.1.7_record_mac_edit.sh | 2 +- bin/hardening/8.1.8_record_login_logout.sh | 2 +- bin/hardening/8.1.9_record_session_init.sh | 2 +- lib/utils.sh | 4 ++-- 29 files changed, 31 insertions(+), 31 deletions(-) diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh index 619ffd9..6943916 100755 --- a/bin/hardening/8.1.10_record_dac_edit.sh +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -58,7 +58,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh index 4474de3..5ceace2 100755 --- a/bin/hardening/8.1.11_record_failed_access_file.sh +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -55,7 +55,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.12_record_privileged_commands.sh b/bin/hardening/8.1.12_record_privileged_commands.sh index d106f61..db1521b 100755 --- a/bin/hardening/8.1.12_record_privileged_commands.sh +++ b/bin/hardening/8.1.12_record_privileged_commands.sh @@ -48,7 +48,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh index 11b80d8..a665ce3 100755 --- a/bin/hardening/8.1.13_record_successful_mount.sh +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -53,7 +53,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh index 021de66..a3ee5f0 100755 --- a/bin/hardening/8.1.14_record_file_deletions.sh +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -53,7 +53,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh index 29659d0..a579b13 100755 --- a/bin/hardening/8.1.15_record_sudoers_edit.sh +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -44,7 +44,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh index 5502282..8f37a4b 100755 --- a/bin/hardening/8.1.16_record_sudo_usage.sh +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -51,12 +51,12 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode fi elif [ $FNRET = 2 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index a145cc6..a9e2f6b 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -61,7 +61,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index 1677b91..6bb5876 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -44,7 +44,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.19_record_sshkeysign_usage.sh b/bin/hardening/8.1.19_record_sshkeysign_usage.sh index 16e872c..13ba324 100755 --- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh +++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh @@ -48,7 +48,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh index 2a85729..c0b5aab 100755 --- a/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh +++ b/bin/hardening/8.1.20_record_open_by_handle_at_syscall.sh @@ -47,7 +47,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh index 970caa3..fc08318 100755 --- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh +++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh @@ -50,7 +50,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh index d62648a..dfcfd93 100755 --- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh +++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh @@ -52,7 +52,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh index 2058fc6..1dc4feb 100755 --- a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh +++ b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh @@ -48,7 +48,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh index 60660d4..4f8d938 100755 --- a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh +++ b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh @@ -46,7 +46,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh index 310b952..32066d8 100755 --- a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh +++ b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh @@ -46,7 +46,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh index 7c813ed..99bac87 100755 --- a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh +++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh @@ -47,7 +47,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh index 1374889..2821d17 100755 --- a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh +++ b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh @@ -59,7 +59,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - #eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.28_record_acl_cmd_usage.sh b/bin/hardening/8.1.28_record_acl_cmd_usage.sh index 1f531d4..74bf365 100755 --- a/bin/hardening/8.1.28_record_acl_cmd_usage.sh +++ b/bin/hardening/8.1.28_record_acl_cmd_usage.sh @@ -48,7 +48,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh index e8d81d7..4079014 100755 --- a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh +++ b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh @@ -47,7 +47,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh index 4e9e8a8..9d2bae6 100755 --- a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh +++ b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh @@ -47,7 +47,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.31_record_syscall_execve.sh b/bin/hardening/8.1.31_record_syscall_execve.sh index 22c219f..1a6b947 100755 --- a/bin/hardening/8.1.31_record_syscall_execve.sh +++ b/bin/hardening/8.1.31_record_syscall_execve.sh @@ -55,7 +55,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh index d5ad406..7a9626b 100755 --- a/bin/hardening/8.1.4_record_date_time_edit.sh +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -59,7 +59,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - check_audit_is_immutable_mode + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh index 798e163..1f4efe9 100755 --- a/bin/hardening/8.1.5_record_user_group_edit.sh +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -47,7 +47,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh index c4a3fba..349bcf9 100755 --- a/bin/hardening/8.1.6_record_network_edit.sh +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -60,7 +60,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index d9605bf..6d81cbd 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -77,7 +77,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh index 9904416..bfaac91 100755 --- a/bin/hardening/8.1.8_record_login_logout.sh +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -45,7 +45,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh index f5ec465..96de42d 100755 --- a/bin/hardening/8.1.9_record_session_init.sh +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -45,7 +45,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE - eval $(pkill -HUP -P 1 auditd) + check_auditd_is_immutable_mode else ok "$AUDIT_VALUE is present in $FILE" fi diff --git a/lib/utils.sh b/lib/utils.sh index 5883c8a..52870c9 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -872,10 +872,10 @@ check_ipv6_is_enable() fi } -check_audit_is_immutable_mode() +check_auditd_is_immutable_mode() { if [ $(auditctl -s | head -n 1 | awk '{print $2}') -eq 2 ]; then - warn "The audit system is in immutable mode, no rule changes allowed. So must need reboot after adding/modifying the auditd rule!" + warn "The auditd system is in immutable mode, no rule changes allowed. So must need reboot after adding/modifying the auditd rule!" else eval $(pkill -HUP -P 1 auditd) fi