From f6b1ea8286bd4531d3947886215c325315f9a24f Mon Sep 17 00:00:00 2001
From: Samson-W <sccxboy@gmail.com>
Date: Mon, 21 Jun 2021 01:18:16 +0800
Subject: [PATCH] Modify function check_audit_path to check whether the
 pathname of the rule in the from of 'auditctl -w' is valid.

---
 lib/utils.sh | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

diff --git a/lib/utils.sh b/lib/utils.sh
index b4339c2..b2a69cf 100644
--- a/lib/utils.sh
+++ b/lib/utils.sh
@@ -1141,7 +1141,9 @@ yum_check_updates()
 # Check path of audit rule is exist, return 0 if path string is not NULL, else return 1 
 # Example: 
 # Process only the following format:
-# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd"
+# AUDITRULE="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or
+# AUDITRULE="-a always,exit -F dir=/home/ -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" or
+# AUDITRULE="-w /home/ -k privileged-passwd" 
 # Please manually execute apt-file (Debian) / yum Provides (redhat) to ensure that the path already exists in the repository.
 # example: apt-file search /usr/bin/passwd
 # freedom-maker: /usr/bin/passwd-in-image
@@ -1149,13 +1151,29 @@ yum_check_updates()
 check_audit_path ()
 {
 	AUDITRULE=$1
-	RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
-	if [ -f $(eval echo $RESULT)  -o -d $(eval echo $RESULT) ]; then
-		debug "File $RESULT is exist!"
-		FNRET=0
+	# Check -w style, for example: "-w /etc/shadow -p wa" "-w /etc/ -p wa"    
+	if [ $(grep -c "-w") -eq 1 ]; then
+		RESULT=$(echo $AUDITRULE | awk '{print $2}')
+		if [ -f $(eval echo $RESULT)  -o -d $(eval echo $RESULT) ]; then
+			debug "File $RESULT is exist!"
+			FNRET=0
+		else
+			warn "File $RESULT is not exist!"
+			FNRET=1
+		fi
+	# Check -F style, for example: "-a always,exit -F path=/etc/shadow -F perm=wa" "-a always,exit -F dir=/etc/ -F perm=wa"    
+	elif [ $(grep -c "\-F.*path=") -eq 1 -o $(grep -c "\-F.*dir=") -eq 1 ]; then
+		RESULT=$(echo $AUDITRULE | awk -F"-F" '{print $2}' | awk -F"=" '{print $2}')
+		if [ -f $(eval echo $RESULT)  -o -d $(eval echo $RESULT) ]; then
+			debug "File $RESULT is exist!"
+			FNRET=0
+		else
+			warn "File $RESULT is not exist!"
+			FNRET=1
+		fi
 	else
-		warn "File $RESULT is not exist!"
-		FNRET=1
+		info "This rule is not including path or dir."		
+		FNRET=0
 	fi
 }