Modify 8.1.7 and 8.4.1 to be compatible with CentOS

2019-08-14 18:40:30 +08:00 · 2019-08-14 18:40:30 +08:00 · fe19d99160
parent 7f23fe9c1c
commit fe19d99160
2 changed files with 29 additions and 9 deletions
--- a/bin/hardening/8.1.7_record_mac_edit.sh
+++ b/bin/hardening/8.1.7_record_mac_edit.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
 #

 #
@ -10,21 +10,26 @@
 #
 # todo test for centos

-set -e # One error, it's over
 set -u # One variable unset, it's over

 HARDENING_LEVEL=4

 SELINUX_PKG="selinux-basics"
-SE_AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng'
+SELINUX_PKG_REDHAT="selinux-policy"
+
+SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy
+-a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy
+-a always,exit -F path=$(which chcon 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=$(which semanage 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=$(which setsebool 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng
+-a always,exit -F path=$(which setfiles 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng"

 APPARMOR_PKG="apparmor"
 AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy
 -w /etc/apparmor.d/ -p wa -k MAC-policy
 -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy'

+set -e # One error, it's over
 FILE='/etc/audit/rules.d/audit.rules'

 # This function will be called if the script status is on enabled / audit mode
@ -34,6 +39,9 @@ audit () {
    # define custom IFS and save default one
    d_IFS=$IFS
    IFS=$'\n'
+	if [ $OS_RELEASE -eq 2 ]; then 
+		SELINUX_PKG=$SELINUX_PKG_REDHAT
+	fi
 	is_pkg_installed $SELINUX_PKG
 	if [ $FNRET = 0 ]; then
 		AUDIT_PARAMS=$SE_AUDIT_PARAMS
@ -43,6 +51,8 @@ audit () {
 		if [ $FNRET = 0 ]; then
 			AUDIT_PARAMS=$AA_AUDIT_PARAMS
 			info "Apparmor has installed!"
+		else
+			crit "SELinux and Apparmor not install!"
 		fi
 	fi
    for AUDIT_VALUE in $AUDIT_PARAMS; do
@ -61,6 +71,9 @@ audit () {
 apply () {
    d_IFS=$IFS
    IFS=$'\n'
+	if [ $OS_RELEASE -eq 2 ]; then 
+		SELINUX_PKG=$SELINUX_PKG_REDHAT
+	fi
 	is_pkg_installed $SELINUX_PKG
 	if [ $FNRET = 0 ]; then
 		AUDIT_PARAMS=$SE_AUDIT_PARAMS
@ -70,6 +83,8 @@ apply () {
 		if [ $FNRET = 0 ]; then
 			AUDIT_PARAMS=$AA_AUDIT_PARAMS
 			info "Apparmor has installed!"
+		else
+			crit "SELinux and Apparmor not install!"
 		fi
 	fi
    for AUDIT_VALUE in $AUDIT_PARAMS; do
--- a/bin/hardening/8.4.1_install_aide.sh
+++ b/bin/hardening/8.4.1_install_aide.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 #
-# harbian audit 9  Hardening
+# harbian audit 9/10 or CentOS Hardening
 #

 #
@ -34,9 +34,14 @@ apply () {
        ok "$PACKAGE is installed"
    else
        crit "$PACKAGE is absent, installing it"
-        apt_install $PACKAGE
-	    aideinit
-        info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further"
+		if [ $OS_RELEASE -eq 2 ]; then
+			yum install -y $PACKAGE
+			aide --init
+		else
+        	apt_install $PACKAGE
+	    	aideinit
+        	info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further"
+		fi
    fi
 }