mirror of
https://github.com/hardenedlinux/harbian-audit.git
synced 2025-07-31 01:24:58 +02:00
Add audit and apply methods for 8.2.4, and remove 8.2.5
This commit is contained in:
Samson-W
parent
3ffe674af9
commit
f2f851c8ce
@ -1,131 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
#
|
|
||||||
# harbian audit 7/8/9 Hardening
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# 8.2.4 Check Permissions on rsyslog Log Files on runtime (Scored)
|
|
||||||
# Author : Samson wen, Samson <sccxboy@gmail.com>
|
|
||||||
#
|
|
||||||
|
|
||||||
set -e # One error, it's over
|
|
||||||
set -u # One variable unset, it's over
|
|
||||||
|
|
||||||
HARDENING_LEVEL=3
|
|
||||||
|
|
||||||
PACKAGE_NG='syslog-ng'
|
|
||||||
|
|
||||||
PERMISSIONS='640'
|
|
||||||
USER='root'
|
|
||||||
GROUP='adm'
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
|
||||||
audit () {
|
|
||||||
is_pkg_installed $PACKAGE_NG
|
|
||||||
if [ $FNRET = 0 ]; then
|
|
||||||
ok "$PACKAGE_NG has installed, so pass."
|
|
||||||
else
|
|
||||||
does_file_exist "$SYSLOG_BASEDIR/rsyslog.conf"
|
|
||||||
if [ $FNRET != 0 ]; then
|
|
||||||
warn "$SYSLOG_BASEDIR/rsyslog.conf is not exist! "
|
|
||||||
else
|
|
||||||
FILES=$(grep -v "^#" $SYSLOG_BASEDIR/rsyslog.conf | grep "-" | awk '{print $2}' | awk -F- '{print $2}')
|
|
||||||
for FILE in $FILES; do
|
|
||||||
does_file_exist $FILE
|
|
||||||
if [ $FNRET != 0 ]; then
|
|
||||||
crit "$FILE does not exist"
|
|
||||||
else
|
|
||||||
has_file_correct_ownership $FILE $USER $GROUP
|
|
||||||
if [ $FNRET = 0 ]; then
|
|
||||||
ok "$FILE has correct ownership"
|
|
||||||
else
|
|
||||||
crit "$FILE ownership was not set to $USER:$GROUP"
|
|
||||||
fi
|
|
||||||
has_file_correct_permissions $FILE $PERMISSIONS
|
|
||||||
if [ $FNRET = 0 ]; then
|
|
||||||
ok "$FILE has correct permissions"
|
|
||||||
else
|
|
||||||
crit "$FILE permissions were not set to $PERMISSIONS"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
|
||||||
apply () {
|
|
||||||
is_pkg_installed $PACKAGE_NG
|
|
||||||
if [ $FNRET = 0 ]; then
|
|
||||||
ok "$PACKAGE_NG has installed, so pass."
|
|
||||||
else
|
|
||||||
does_file_exist "$SYSLOG_BASEDIR/rsyslog.conf"
|
|
||||||
if [ $FNRET != 0 ]; then
|
|
||||||
warn "$SYSLOG_BASEDIR/rsyslog.conf is not exist! "
|
|
||||||
else
|
|
||||||
FILES=$(grep -v "^#" $SYSLOG_BASEDIR/rsyslog.conf | grep "-" | awk '{print $2}' | awk -F- '{print $2}')
|
|
||||||
for FILE in $FILES; do
|
|
||||||
does_file_exist $FILE
|
|
||||||
if [ $FNRET != 0 ]; then
|
|
||||||
info "$FILE does not exist, create $FILE"
|
|
||||||
extend_touch_file $FILE
|
|
||||||
fi
|
|
||||||
has_file_correct_ownership $FILE $USER $GROUP
|
|
||||||
if [ $FNRET = 0 ]; then
|
|
||||||
ok "$FILE has correct ownership"
|
|
||||||
else
|
|
||||||
warn "fixing $FILE ownership to $USER:$GROUP"
|
|
||||||
chown $USER:$GROUP $FILE
|
|
||||||
fi
|
|
||||||
has_file_correct_permissions $FILE $PERMISSIONS
|
|
||||||
if [ $FNRET = 0 ]; then
|
|
||||||
ok "$FILE has correct permissions"
|
|
||||||
else
|
|
||||||
info "fixing $FILE permissions to $PERMISSIONS"
|
|
||||||
chmod 0$PERMISSIONS $FILE
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# This function will create the config file for this check with default values
|
|
||||||
create_config() {
|
|
||||||
cat <<EOF
|
|
||||||
status=disabled
|
|
||||||
SYSLOG_BASEDIR='/etc'
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
# This function will check config parameters required
|
|
||||||
check_config() {
|
|
||||||
does_user_exist $USER
|
|
||||||
if [ $FNRET != 0 ]; then
|
|
||||||
crit "$USER does not exist"
|
|
||||||
exit 128
|
|
||||||
fi
|
|
||||||
does_group_exist $GROUP
|
|
||||||
if [ $FNRET != 0 ]; then
|
|
||||||
crit "$GROUP does not exist"
|
|
||||||
exit 128
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Source Root Dir Parameter
|
|
||||||
if [ -r /etc/default/cis-hardening ]; then
|
|
||||||
. /etc/default/cis-hardening
|
|
||||||
fi
|
|
||||||
if [ -z "$CIS_ROOT_DIR" ]; then
|
|
||||||
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
|
|
||||||
echo "Cannot source CIS_ROOT_DIR variable, aborting."
|
|
||||||
exit 128
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
|
||||||
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
|
|
||||||
. $CIS_ROOT_DIR/lib/main.sh
|
|
||||||
else
|
|
||||||
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
|
|
||||||
exit 128
|
|
||||||
fi
|
|
||||||
@ -20,9 +20,12 @@ PERMISSIONS='640'
|
|||||||
USER='root'
|
USER='root'
|
||||||
GROUP='adm'
|
GROUP='adm'
|
||||||
|
|
||||||
OWNER_USER_KEY='^\$FileOwner'
|
OWNER_USER_KEY='$FileOwner'
|
||||||
OWNER_GROUP_KEY='^\$FileGroup'
|
OWNER_GROUP_KEY='$FileGroup'
|
||||||
PERMIS_KEY='^\$FileCreateMode'
|
PERMIS_KEY='$FileCreateMode'
|
||||||
|
|
||||||
|
FILE='$SYSLOG_BASEDIR/rsyslog.conf'
|
||||||
|
FILE_WIDE='$SYSLOG_BASEDIR/rsyslog.d/*.conf'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
@ -30,40 +33,40 @@ audit () {
|
|||||||
if [ $FNRET = 0 ]; then
|
if [ $FNRET = 0 ]; then
|
||||||
ok "$PACKAGE_NG has installed, so pass."
|
ok "$PACKAGE_NG has installed, so pass."
|
||||||
else
|
else
|
||||||
does_file_exist "$SYSLOG_BASEDIR/rsyslog.conf"
|
does_file_exist "$FILE"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$SYSLOG_BASEDIR/rsyslog.conf is not exist! "
|
crit "$FILE is not exist! "
|
||||||
else
|
else
|
||||||
does_pattern_exist_in_file "$SYSLOG_BASEDIR/rsyslog.conf" "$OWNER_USER_KEY"
|
does_pattern_exist_in_file "$FILE" "$OWNER_USER_KEY"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$OWNER_USER_KEY is not exist in $SYSLOG_BASEDIR/rsyslog.conf"
|
crit "$OWNER_USER_KEY is not exist in $FILE"
|
||||||
else
|
else
|
||||||
OWNER_USER_NAME=$(grep "$OWNER_USER_KEY" /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
OWNER_USER_NAME=$(grep "$OWNER_USER_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
||||||
if [ "$OWNER_USER_NAME" != "$USER" ]; then
|
if [ "$OWNER_USER_NAME" != "$USER" ]; then
|
||||||
warn "File owner not set is root!"
|
crit "File owner not set is root!"
|
||||||
else
|
else
|
||||||
ok "File owner set is root!"
|
ok "File owner set is root!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
does_pattern_exist_in_file "$SYSLOG_BASEDIR/rsyslog.conf" "$OWNER_GROUP_KEY"
|
does_pattern_exist_in_file "$FILE" "$OWNER_GROUP_KEY"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$OWNER_USER_KEY is not exist in $SYSLOG_BASEDIR/rsyslog.conf"
|
crit "$OWNER_GROUP_KEY is not exist in $FILE"
|
||||||
else
|
else
|
||||||
OWNER_GROUP_NAME=$(grep "$OWNER_GROUP_KEY" /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
OWNER_GROUP_NAME=$(grep "$OWNER_GROUP_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
||||||
if [ "$OWNER_GROUP_NAME" != "$GROUP" ]; then
|
if [ "$OWNER_GROUP_NAME" != "$GROUP" ]; then
|
||||||
warn "File group not set is $GROUP!"
|
crit "File group not set is $GROUP!"
|
||||||
else
|
else
|
||||||
ok "File group set is $GROUP!"
|
ok "File group set is $GROUP!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
does_pattern_exist_in_file "$SYSLOG_BASEDIR/rsyslog.conf" "$PERMIS_KEY"
|
does_pattern_exist_in_file "$FILE" "$PERMIS_KEY"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$OWNER_USER_KEY is not exist in $SYSLOG_BASEDIR/rsyslog.conf"
|
crit "$PERMIS_KEY is not exist in $FILE"
|
||||||
else
|
else
|
||||||
PERMIS_KEY_NAME=$(grep "$PERMIS_KEY" /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
PERMIS_KEY_NAME=$(grep "$PERMIS_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
||||||
if [ "$PERMIS_KEY_NAME" != "$PERMISSIONS" ]; then
|
if [ "$PERMIS_KEY_NAME" != "$PERMISSIONS" ]; then
|
||||||
warn "File permissions not set is $PERMISSIONS!"
|
crit "File permissions not set is $PERMISSIONS!"
|
||||||
else
|
else
|
||||||
ok "File permissions set is $PERMISSIONS!"
|
ok "File permissions set is $PERMISSIONS!"
|
||||||
fi
|
fi
|
||||||
@ -78,47 +81,52 @@ apply () {
|
|||||||
if [ $FNRET = 0 ]; then
|
if [ $FNRET = 0 ]; then
|
||||||
ok "$PACKAGE_NG has installed, so pass."
|
ok "$PACKAGE_NG has installed, so pass."
|
||||||
else
|
else
|
||||||
does_file_exist "$SYSLOG_BASEDIR/rsyslog.conf"
|
does_file_exist "$FILE"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$SYSLOG_BASEDIR/rsyslog.conf is not exist! "
|
crit "$FILE is not exist! Please check."
|
||||||
else
|
else
|
||||||
does_pattern_exist_in_file "$SYSLOG_BASEDIR/rsyslog.conf" "$OWNER_USER_KEY"
|
does_pattern_exist_in_file "$FILE" "$OWNER_USER_KEY"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$OWNER_USER_KEY is not exist in $SYSLOG_BASEDIR/rsyslog.conf"
|
warn "$OWNER_USER_KEY is not exist in $FILE, add it"
|
||||||
|
add_end_of_file $FILE "$OWNER_USER_KEY $USER"
|
||||||
else
|
else
|
||||||
OWNER_USER_NAME=$(grep "$OWNER_USER_KEY" /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
OWNER_USER_NAME=$(grep "$OWNER_USER_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
||||||
if [ "$OWNER_USER_NAME" != "$USER" ]; then
|
if [ "$OWNER_USER_NAME" != "$USER" ]; then
|
||||||
warn "File owner not set is root!"
|
warn "File owner not set is $USER! Reset it"
|
||||||
|
replace_in_file $FILE "$OWNER_USER_KEY.*" "$OWNER_USER_KEY $USER"
|
||||||
else
|
else
|
||||||
ok "File owner set is root!"
|
ok "File owner set is $USER!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
does_pattern_exist_in_file "$SYSLOG_BASEDIR/rsyslog.conf" "$OWNER_GROUP_KEY"
|
does_pattern_exist_in_file "$FILE" "$OWNER_GROUP_KEY"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$OWNER_USER_KEY is not exist in $SYSLOG_BASEDIR/rsyslog.conf"
|
warn "$OWNER_GROUP_KEY is not exist in $FILE, add it"
|
||||||
|
add_end_of_file $FILE "$OWNER_GROUP_KEY $GROUP"
|
||||||
else
|
else
|
||||||
OWNER_GROUP_NAME=$(grep "$OWNER_GROUP_KEY" /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
OWNER_GROUP_NAME=$(grep "$OWNER_GROUP_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
||||||
if [ "$OWNER_GROUP_NAME" != "$GROUP" ]; then
|
if [ "$OWNER_GROUP_NAME" != "$GROUP" ]; then
|
||||||
warn "File group not set is $GROUP!"
|
warn "File group not set is $GROUP! Reset it"
|
||||||
|
replace_in_file $FILE "$OWNER_GROUP_KEY.*" "$OWNER_GROUP_KEY $GROUP"
|
||||||
else
|
else
|
||||||
ok "File group set is $GROUP!"
|
ok "File group set is $GROUP!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
does_pattern_exist_in_file "$SYSLOG_BASEDIR/rsyslog.conf" "$PERMIS_KEY"
|
does_pattern_exist_in_file "$FILE" "$PERMIS_KEY"
|
||||||
if [ $FNRET != 0 ]; then
|
if [ $FNRET != 0 ]; then
|
||||||
warn "$OWNER_USER_KEY is not exist in $SYSLOG_BASEDIR/rsyslog.conf"
|
warn "$PERMIS_KEY is not exist in $FILE, add it"
|
||||||
|
add_end_of_file $FILE "$PERMIS_KEY $PERMISSIONS"
|
||||||
else
|
else
|
||||||
PERMIS_KEY_NAME=$(grep "$PERMIS_KEY" /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
PERMIS_KEY_NAME=$(grep "$PERMIS_KEY" $FILE $FILE_WIDE 2>>/dev/null | awk -F: '{print $2}' | awk '{print $2}')
|
||||||
if [ "$PERMIS_KEY_NAME" != "$PERMISSIONS" ]; then
|
if [ "$PERMIS_KEY_NAME" != "$PERMISSIONS" ]; then
|
||||||
warn "File permissions not set is $PERMISSIONS!"
|
warn "File permissions not set is $PERMISSIONS! Reset it"
|
||||||
|
replace_in_file $FILE "$PERMIS_KEY.*" "$PERMIS_KEY $PERMISSIONS"
|
||||||
else
|
else
|
||||||
ok "File permissions set is $PERMISSIONS!"
|
ok "File permissions set is $PERMISSIONS!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will create the config file for this check with default values
|
# This function will create the config file for this check with default values
|
||||||
Loading…
x
Reference in New Issue
Block a user