debian-cis/bin/hardening/8.0_enable_auditd_kernel.sh

#!/bin/bash

#
# CIS Debian Hardening
#

#
# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel
#

set -e # One error, it's over
set -u # One variable unset, it's over

HARDENING_LEVEL=4
DESCRIPTION="Ensure CONFIG_AUDIT is enabled in your running kernel."

# Note : Not part of the CIS guide, but what's the point of configuring software not compatible with your kernel? :)

KERNEL_OPTION="CONFIG_AUDIT"


# This function will be called if the script status is on enabled / audit mode
audit () {
    is_kernel_option_enabled "^$KERNEL_OPTION="
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        ok "$KERNEL_OPTION is enabled"
    else
        crit "$KERNEL_OPTION is disabled, auditd will not work"
    fi
    :
}

# This function will be called if the script status is on enabled mode
apply () {
    is_kernel_option_enabled "^$KERNEL_OPTION="
    if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated
        ok "$KERNEL_OPTION is enabled"
    else
        warn "I cannot fix $KERNEL_OPTION disabled, to make auditd work, recompile your kernel please"
    fi
    :
}

# This function will check config parameters required
check_config() {
    :
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
     echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
     echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then
    . $CIS_ROOT_DIR/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`#!/bin/bash`

			`#`
Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00			`# CIS Debian Hardening`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`#`

			`#`
8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh 2016-04-14 10:40:31 +02:00			`# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`HARDENING_LEVEL=4`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`DESCRIPTION="Ensure CONFIG_AUDIT is enabled in your running kernel."`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
Rephrase confusing messages 2016-04-21 18:32:36 +02:00			`# Note : Not part of the CIS guide, but what's the point of configuring software not compatible with your kernel? :)`
8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh 2016-04-14 10:40:31 +02:00
			`KERNEL_OPTION="CONFIG_AUDIT"`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00

			`# This function will be called if the script status is on enabled / audit mode`
			`audit () {`
8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh 2016-04-14 10:40:31 +02:00			`is_kernel_option_enabled "^$KERNEL_OPTION="`
			`if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated`
			`ok "$KERNEL_OPTION is enabled"`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`else`
8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh 2016-04-14 10:40:31 +02:00			`crit "$KERNEL_OPTION is disabled, auditd will not work"`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`fi`
8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh 2016-04-14 10:40:31 +02:00			`:`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`}`

			`# This function will be called if the script status is on enabled mode`
			`apply () {`
8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh 2016-04-14 10:40:31 +02:00			`is_kernel_option_enabled "^$KERNEL_OPTION="`
			`if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated`
			`ok "$KERNEL_OPTION is enabled"`
			`else`
			`warn "I cannot fix $KERNEL_OPTION disabled, to make auditd work, recompile your kernel please"`
			`fi`
			`:`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00			`}`

			`# This function will check config parameters required`
			`check_config() {`
			`:`
			`}`

			`# Source Root Dir Parameter`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`if [ -r /etc/default/cis-hardening ]; then`
Corrected default file path 2016-04-18 17:39:14 +02:00			`. /etc/default/cis-hardening`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
Expand tabs to 4 spaces and trim trailing spaces 2017-11-17 15:13:27 +01:00			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
			`exit 128`
			`fi`
7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh 2016-04-13 22:51:18 +02:00
			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then`
			`. $CIS_ROOT_DIR/lib/main.sh`
			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`