debian-cis/bin/hardening/4.1.18_freeze_auditd_conf.sh

#!/bin/bash

# run-shellcheck
#
# CIS Debian Hardening
#

#
# 4.1.18 Ensure the audit configuration is immutable (Scored)
#

set -e # One error, it's over
set -u # One variable unset, it's over

# shellcheck disable=2034
HARDENING_LEVEL=4
# shellcheck disable=2034
DESCRIPTION="Make the audit configuration immutable."

AUDIT_PARAMS='-e 2'
FILE='/etc/audit/audit.rules'

# This function will be called if the script status is on enabled / audit mode
audit() {
    # define custom IFS and save default one
    d_IFS=$IFS
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        IFS=$d_IFS
        does_pattern_exist_in_file $FILE $AUDIT_VALUE
        IFS=$c_IFS
        if [ "$FNRET" != 0 ]; then
            crit "$AUDIT_VALUE is not in file $FILE"
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
    IFS=$d_IFS
}

# This function will be called if the script status is on enabled mode
apply() {
    IFS=$'\n'
    for AUDIT_VALUE in $AUDIT_PARAMS; do
        debug "$AUDIT_VALUE should be in file $FILE"
        does_pattern_exist_in_file $FILE $AUDIT_VALUE
        if [ "$FNRET" != 0 ]; then
            warn "$AUDIT_VALUE is not in file $FILE, adding it"
            add_end_of_file $FILE $AUDIT_VALUE
            eval $(pkill -HUP -P 1 auditd)
        else
            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
}

# This function will check config parameters required
check_config() {
    :
}

# Source Root Dir Parameter
if [ -r /etc/default/cis-hardening ]; then
    # shellcheck source=../../debian/default
    . /etc/default/cis-hardening
fi
if [ -z "$CIS_ROOT_DIR" ]; then
    echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
    echo "Cannot source CIS_ROOT_DIR variable, aborting."
    exit 128
fi

# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then
    # shellcheck source=../../lib/main.sh
    . "$CIS_ROOT_DIR"/lib/main.sh
else
    echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"
    exit 128
fi
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`#!/bin/bash`

IMP(shellcheck): add run-shellcheck prefix 2020-11-23 17:10:37 +01:00			`# run-shellcheck`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`#`
Update debian 7/8/9 in help files and remove in generic scripts 2019-02-06 15:19:14 +01:00			`# CIS Debian Hardening`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`#`

			`#`
Renum 8.1.x auditing configuration renamed: bin/hardening/8.1.1.1_audit_log_storage.sh -> bin/hardening/4.1.1.1_audit_log_storage.sh renamed: bin/hardening/8.1.1.2_halt_when_audit_log_full.sh -> bin/hardening/4.1.1.2_halt_when_audit_log_full.sh renamed: bin/hardening/8.1.1.3_keep_all_audit_logs.sh -> bin/hardening/4.1.1.3_keep_all_audit_logs.sh renamed: bin/hardening/8.1.10_record_dac_edit.sh -> bin/hardening/4.1.10_record_dac_edit.sh renamed: bin/hardening/8.1.11_record_failed_access_file.sh -> bin/hardening/4.1.11_record_failed_access_file.sh renamed: bin/hardening/8.1.12_record_privileged_commands.sh -> bin/hardening/4.1.12_record_privileged_commands.sh renamed: bin/hardening/8.1.13_record_successful_mount.sh -> bin/hardening/4.1.13_record_successful_mount.sh renamed: bin/hardening/8.1.14_record_file_deletions.sh -> bin/hardening/4.1.14_record_file_deletions.sh renamed: bin/hardening/8.1.15_record_sudoers_edit.sh -> bin/hardening/4.1.15_record_sudoers_edit.sh renamed: bin/hardening/8.1.16_record_sudo_usage.sh -> bin/hardening/4.1.16_record_sudo_usage.sh renamed: bin/hardening/8.1.17_record_kernel_modules.sh -> bin/hardening/4.1.17_record_kernel_modules.sh renamed: bin/hardening/8.1.18_freeze_auditd_conf.sh -> bin/hardening/4.1.18_freeze_auditd_conf.sh renamed: bin/hardening/8.1.2_enable_auditd.sh -> bin/hardening/4.1.2_enable_auditd.sh renamed: bin/hardening/8.1.3_audit_bootloader.sh -> bin/hardening/4.1.3_audit_bootloader.sh renamed: bin/hardening/8.1.4_record_date_time_edit.sh -> bin/hardening/4.1.4_record_date_time_edit.sh renamed: bin/hardening/8.1.5_record_user_group_edit.sh -> bin/hardening/4.1.5_record_user_group_edit.sh renamed: bin/hardening/8.1.6_record_network_edit.sh -> bin/hardening/4.1.6_record_network_edit.sh renamed: bin/hardening/8.1.7_record_mac_edit.sh -> bin/hardening/4.1.7_record_mac_edit.sh renamed: bin/hardening/8.1.8_record_login_logout.sh -> bin/hardening/4.1.8_record_login_logout.sh renamed: bin/hardening/8.1.9_record_session_init.sh -> bin/hardening/4.1.9_record_session_init.sh renamed: tests/hardening/8.1.9_record_session_init.sh -> tests/hardening/4.1.1.1_audit_log_storage.sh renamed: tests/hardening/8.1.8_record_login_logout.sh -> tests/hardening/4.1.1.2_halt_when_audit_log_full.sh renamed: tests/hardening/8.1.7_record_mac_edit.sh -> tests/hardening/4.1.1.3_keep_all_audit_logs.sh renamed: tests/hardening/8.1.6_record_network_edit.sh -> tests/hardening/4.1.10_record_dac_edit.sh renamed: tests/hardening/8.1.5_record_user_group_edit.sh -> tests/hardening/4.1.11_record_failed_access_file.sh renamed: tests/hardening/8.1.4_record_date_time_edit.sh -> tests/hardening/4.1.12_record_privileged_commands.sh renamed: tests/hardening/8.1.3_audit_bootloader.sh -> tests/hardening/4.1.13_record_successful_mount.sh renamed: tests/hardening/8.1.2_enable_auditd.sh -> tests/hardening/4.1.14_record_file_deletions.sh renamed: tests/hardening/8.1.18_freeze_auditd_conf.sh -> tests/hardening/4.1.15_record_sudoers_edit.sh renamed: tests/hardening/8.1.17_record_kernel_modules.sh -> tests/hardening/4.1.16_record_sudo_usage.sh renamed: tests/hardening/8.1.16_record_sudo_usage.sh -> tests/hardening/4.1.17_record_kernel_modules.sh renamed: tests/hardening/8.1.15_record_sudoers_edit.sh -> tests/hardening/4.1.18_freeze_auditd_conf.sh renamed: tests/hardening/8.1.14_record_file_deletions.sh -> tests/hardening/4.1.2_enable_auditd.sh renamed: tests/hardening/8.1.13_record_successful_mount.sh -> tests/hardening/4.1.3_audit_bootloader.sh renamed: tests/hardening/8.1.12_record_privileged_commands.sh -> tests/hardening/4.1.4_record_date_time_edit.sh renamed: tests/hardening/8.1.11_record_failed_access_file.sh -> tests/hardening/4.1.5_record_user_group_edit.sh renamed: tests/hardening/8.1.10_record_dac_edit.sh -> tests/hardening/4.1.6_record_network_edit.sh renamed: tests/hardening/8.1.1.3_keep_all_audit_logs.sh -> tests/hardening/4.1.7_record_mac_edit.sh renamed: tests/hardening/8.1.1.2_halt_when_audit_log_full.sh -> tests/hardening/4.1.8_record_login_logout.sh renamed: tests/hardening/8.1.1.1_audit_log_storage.sh -> tests/hardening/4.1.9_record_session_init.sh 2019-09-09 16:45:54 +02:00			`# 4.1.18 Ensure the audit configuration is immutable (Scored)`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`#`

			`set -e # One error, it's over`
			`set -u # One variable unset, it's over`

IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00			`HARDENING_LEVEL=4`
IMP(shellcheck): comply with shellcheck rules I added shellcheck prefixes to fix: * SC1091 (following sourced files) * SC2034 (unused variables) 2020-11-27 09:18:00 +01:00			`# shellcheck disable=2034`
Adding batch mode to output just one line of text (no colors) in order to be parsed by computer tools Adding DESCRIPTION field in tests and [INFO] DESCRIPTION in main Update README with --batch mode info Add --batch mode in hardening.sh Change summary to make it oneliner when batch mode AUDIT_SUMMARY PASSED_CHECKS:95 RUN_CHECKS:191 TOTAL_CHECKS_AVAIL:191 CONFORMITY_PERCENTAGE:49.74 2017-10-31 17:44:15 +01:00			`DESCRIPTION="Make the audit configuration immutable."`
add hardening templating and several enhancements 2017-05-18 18:40:09 +02:00
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`AUDIT_PARAMS='-e 2'`
			`FILE='/etc/audit/audit.rules'`

			`# This function will be called if the script status is on enabled / audit mode`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`audit() {`
Add sudo management in main and utils * perform readonly checks as a regular user * sudo -n is used for checks requiring root privileges * increase accountability by providing log of individual access to sensitive files 2017-11-09 15:45:42 +01:00			`# define custom IFS and save default one`
			`d_IFS=$IFS`
			`c_IFS=$'\n'`
			`IFS=$c_IFS`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`for AUDIT_VALUE in $AUDIT_PARAMS; do`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`debug "$AUDIT_VALUE should be in file $FILE"`
Add sudo management in main and utils * perform readonly checks as a regular user * sudo -n is used for checks requiring root privileges * increase accountability by providing log of individual access to sensitive files 2017-11-09 15:45:42 +01:00			`IFS=$d_IFS`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`does_pattern_exist_in_file $FILE $AUDIT_VALUE`
Add sudo management in main and utils * perform readonly checks as a regular user * sudo -n is used for checks requiring root privileges * increase accountability by providing log of individual access to sensitive files 2017-11-09 15:45:42 +01:00			`IFS=$c_IFS`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`if [ "$FNRET" != 0 ]; then`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`crit "$AUDIT_VALUE is not in file $FILE"`
			`else`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`ok "$AUDIT_VALUE is present in $FILE"`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`fi`
			`done`
Add sudo management in main and utils * perform readonly checks as a regular user * sudo -n is used for checks requiring root privileges * increase accountability by providing log of individual access to sensitive files 2017-11-09 15:45:42 +01:00			`IFS=$d_IFS`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`}`

			`# This function will be called if the script status is on enabled mode`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`apply() {`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`IFS=$'\n'`
			`for AUDIT_VALUE in $AUDIT_PARAMS; do`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`debug "$AUDIT_VALUE should be in file $FILE"`
			`does_pattern_exist_in_file $FILE $AUDIT_VALUE`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`if [ "$FNRET" != 0 ]; then`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`warn "$AUDIT_VALUE is not in file $FILE, adding it"`
			`add_end_of_file $FILE $AUDIT_VALUE`
			`eval $(pkill -HUP -P 1 auditd)`
			`else`
debian dependencies fix, rephrasing, revision bump 1.0-8. 2016-04-25 15:15:49 +02:00			`ok "$AUDIT_VALUE is present in $FILE"`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00			`fi`
			`done`
			`}`

			`# This function will check config parameters required`
			`check_config() {`
			`:`
			`}`

			`# Source Root Dir Parameter`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`if [ -r /etc/default/cis-hardening ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`# shellcheck source=../../debian/default`
Corrected default file path 2016-04-18 17:39:14 +02:00			`. /etc/default/cis-hardening`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`fi`
			`if [ -z "$CIS_ROOT_DIR" ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."`
			`echo "Cannot source CIS_ROOT_DIR variable, aborting."`
Applying batch edit to all hardening/*.sh scripts for new CIS_ROOT_DIR management 2017-10-25 14:50:39 +02:00			`exit 128`
			`fi`
8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh 2016-04-14 16:44:14 +02:00
			`# Main function, will call the proper functions given the configuration (audit, enabled, disabled)`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`if [ -r "$CIS_ROOT_DIR"/lib/main.sh ]; then`
IMP(shfmt): add shell formatter 2020-12-04 14:08:01 +01:00			`# shellcheck source=../../lib/main.sh`
IMP(shellcheck): quoting harmless variables (SC2086) 2020-11-27 09:29:11 +01:00			`. "$CIS_ROOT_DIR"/lib/main.sh`
Fixed default file error handling and quickstart 2016-04-21 23:19:50 +02:00			`else`
			`echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening"`
			`exit 128`
			`fi`