elie/debian-cis
1
0
Fork 0
mirror of https://github.com/ovh/debian-cis.git synced 2025-07-15 05:12:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: update record_mac_edit.sh to use apparmor instead of selinux (#262)

Browse Source 
Update record_mac_edit.sh to be compliant with debian11 and debian12 CIS recommendations.

fix issue #195

Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
This commit is contained in:
damcav35
2025-07-03 09:27:09 +02:00
committed by GitHub
parent 99e6694261
commit 6123a56653
3 changed files with 27 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
bin/hardening/record_mac_edit.sh
View File

@ -17,64 +17,48 @@ HARDENING_LEVEL=4
# shellcheck disable=2034 # shellcheck disable=2034
DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)." DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' AUDIT_PARAMS=("-w /etc/apparmor/ -p wa -k MAC-policy" "-w /etc/apparmor.d/ -p wa -k MAC-policy")
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' AUDIT_FILE='/etc/audit/audit.rules'
FILE='/etc/audit/rules.d/audit.rules' ADDITIONAL_PATH="/etc/audit/rules.d"
FILE_TO_WRITE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode # This function will be called if the script status is on enabled / audit mode
audit() { audit() {
# define custom IFS and save default one MISSING_PARAMS=()
d_IFS=$IFS index=0
c_IFS=$'\n' # use find here in order to simplify test usage with sudo using secaudit user
IFS=$c_IFS FILES_TO_SEARCH="$(sudo_wrapper find $ADDITIONAL_PATH -name '*.rules' | paste -s) $AUDIT_FILE"
for AUDIT_VALUE in $AUDIT_PARAMS; do for i in "${!AUDIT_PARAMS[@]}"; do
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" debug "${AUDIT_PARAMS[i]} should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0 SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" does_pattern_exist_in_file "$FILE_SEARCHED" "${AUDIT_PARAMS[i]}"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" debug "${AUDIT_PARAMS[i]} is not in file $FILE_SEARCHED"
else else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED" ok "${AUDIT_PARAMS[i]} is present in $FILE_SEARCHED"
SEARCH_RES=1 SEARCH_RES=1
fi fi
done done
if [ "$SEARCH_RES" = 0 ]; then if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" crit "${AUDIT_PARAMS[i]} is not present in $FILES_TO_SEARCH"
MISSING_PARAMS[i]="${AUDIT_PARAMS[i]}"
index=$((index + 1))
fi fi
done done
IFS=$d_IFS
} }
# This function will be called if the script status is on enabled mode # This function will be called if the script status is on enabled mode
apply() { apply() {
# define custom IFS and save default one audit
d_IFS=$IFS changes=0
c_IFS=$'\n' for i in "${!MISSING_PARAMS[@]}"; do
IFS=$c_IFS info "${MISSING_PARAMS[i]} is not present in $FILES_TO_SEARCH, adding it"
for AUDIT_VALUE in $AUDIT_PARAMS; do add_end_of_file "$FILE_TO_WRITE" "${MISSING_PARAMS[i]}"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" changes=1
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
fi
done done
IFS=$d_IFS
[ "$changes" -eq 0 ] || eval "$(pkill -HUP -P 1 auditd)"
} }
# This function will check config parameters required # This function will check config parameters required

2
debian/control vendored
View File

@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/ovh/debian-cis/
Package: cis-hardening Package: cis-hardening
Architecture: all Architecture: all
Depends: ${misc:Depends}, patch Depends: ${misc:Depends}, patch, coreutils
Description: Suite of configurable scripts to audit or harden a Debian. Description: Suite of configurable scripts to audit or harden a Debian.
Modular Debian security hardening scripts based on cisecurity.org Modular Debian security hardening scripts based on cisecurity.org
⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to ⟨cisecurity.org⟩ recommendations. We use it at OVH ⟨https://www.ovh.com⟩ to

5
tests/hardening/record_mac_edit.sh
View File

@ -2,8 +2,7 @@
# run-shellcheck # run-shellcheck
test_audit() { test_audit() {
describe Running on blank host describe Running on blank host
register_test retvalshouldbe 0 register_test retvalshouldbe 1
dismiss_count_for_test
# shellcheck disable=2154 # shellcheck disable=2154
run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
@ -13,6 +12,6 @@ test_audit() {
describe Checking resolved state describe Checking resolved state
register_test retvalshouldbe 0 register_test retvalshouldbe 0
register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules" register_test contain "[ OK ] -w /etc/apparmor/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all run resolved "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
} }