From 6123a56653472bd13614c6c7c53619920b252c32 Mon Sep 17 00:00:00 2001 From: damcav35 <51324122+damcav35@users.noreply.github.com> Date: Thu, 3 Jul 2025 09:27:09 +0200 Subject: [PATCH] fix: update record_mac_edit.sh to use apparmor instead of selinux (#262) Update record_mac_edit.sh to be compliant with debian11 and debian12 CIS recommendations. fix issue #195 Co-authored-by: Damien Cavagnini --- bin/hardening/record_mac_edit.sh | 64 +++++++++++------------------- debian/control | 2 +- tests/hardening/record_mac_edit.sh | 5 +-- 3 files changed, 27 insertions(+), 44 deletions(-) diff --git a/bin/hardening/record_mac_edit.sh b/bin/hardening/record_mac_edit.sh index 8630183..90e82b2 100755 --- a/bin/hardening/record_mac_edit.sh +++ b/bin/hardening/record_mac_edit.sh @@ -17,64 +17,48 @@ HARDENING_LEVEL=4 # shellcheck disable=2034 DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)." -AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' -FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS=("-w /etc/apparmor/ -p wa -k MAC-policy" "-w /etc/apparmor.d/ -p wa -k MAC-policy") +AUDIT_FILE='/etc/audit/audit.rules' +ADDITIONAL_PATH="/etc/audit/rules.d" +FILE_TO_WRITE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { - # define custom IFS and save default one - d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS - for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" - IFS=$d_IFS + MISSING_PARAMS=() + index=0 + # use find here in order to simplify test usage with sudo using secaudit user + FILES_TO_SEARCH="$(sudo_wrapper find $ADDITIONAL_PATH -name '*.rules' | paste -s) $AUDIT_FILE" + for i in "${!AUDIT_PARAMS[@]}"; do + debug "${AUDIT_PARAMS[i]} should be in file $FILES_TO_SEARCH" SEARCH_RES=0 for FILE_SEARCHED in $FILES_TO_SEARCH; do - does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" - IFS=$c_IFS + does_pattern_exist_in_file "$FILE_SEARCHED" "${AUDIT_PARAMS[i]}" if [ "$FNRET" != 0 ]; then - debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + debug "${AUDIT_PARAMS[i]} is not in file $FILE_SEARCHED" else - ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + ok "${AUDIT_PARAMS[i]} is present in $FILE_SEARCHED" SEARCH_RES=1 fi done if [ "$SEARCH_RES" = 0 ]; then - crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" + crit "${AUDIT_PARAMS[i]} is not present in $FILES_TO_SEARCH" + MISSING_PARAMS[i]="${AUDIT_PARAMS[i]}" + index=$((index + 1)) fi done - IFS=$d_IFS } # This function will be called if the script status is on enabled mode apply() { - # define custom IFS and save default one - d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS - for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" - IFS=$d_IFS - SEARCH_RES=0 - for FILE_SEARCHED in $FILES_TO_SEARCH; do - does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" - else - ok "$AUDIT_VALUE is present in $FILE_SEARCHED" - SEARCH_RES=1 - fi - done - if [ "$SEARCH_RES" = 0 ]; then - warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" - add_end_of_file "$FILE" "$AUDIT_VALUE" - eval "$(pkill -HUP -P 1 auditd)" - fi + audit + changes=0 + for i in "${!MISSING_PARAMS[@]}"; do + info "${MISSING_PARAMS[i]} is not present in $FILES_TO_SEARCH, adding it" + add_end_of_file "$FILE_TO_WRITE" "${MISSING_PARAMS[i]}" + changes=1 done - IFS=$d_IFS + + [ "$changes" -eq 0 ] || eval "$(pkill -HUP -P 1 auditd)" } # This function will check config parameters required diff --git a/debian/control b/debian/control index 0358414..bacd8d0 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/ Package: cis-hardening Architecture: all -Depends: ${misc:Depends}, patch +Depends: ${misc:Depends}, patch, coreutils Description: Suite of configurable scripts to audit or harden a Debian. Modular Debian security hardening scripts based on cisecurity.org ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to diff --git a/tests/hardening/record_mac_edit.sh b/tests/hardening/record_mac_edit.sh index b7b937a..33ce622 100644 --- a/tests/hardening/record_mac_edit.sh +++ b/tests/hardening/record_mac_edit.sh @@ -2,8 +2,7 @@ # run-shellcheck test_audit() { describe Running on blank host - register_test retvalshouldbe 0 - dismiss_count_for_test + register_test retvalshouldbe 1 # shellcheck disable=2154 run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all @@ -13,6 +12,6 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/apparmor/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules" run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all }