diff --git a/bin/hardening/4.1.10_record_failed_access_file.sh b/bin/hardening/4.1.10_record_failed_access_file.sh index 3e67863..68d72bd 100755 --- a/bin/hardening/4.1.10_record_failed_access_file.sh +++ b/bin/hardening/4.1.10_record_failed_access_file.sh @@ -21,7 +21,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -30,14 +31,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -45,18 +53,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.11_record_privileged_commands.sh b/bin/hardening/4.1.11_record_privileged_commands.sh index b571071..87dac9a 100755 --- a/bin/hardening/4.1.11_record_privileged_commands.sh +++ b/bin/hardening/4.1.11_record_privileged_commands.sh @@ -21,7 +21,8 @@ SUDO_CMD='sudo -n' # Find all files with setuid or setgid set AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }') -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -30,14 +31,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -45,18 +53,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.12_record_successful_mount.sh b/bin/hardening/4.1.12_record_successful_mount.sh index 6b84700..ca794dd 100755 --- a/bin/hardening/4.1.12_record_successful_mount.sh +++ b/bin/hardening/4.1.12_record_successful_mount.sh @@ -19,7 +19,8 @@ DESCRIPTION="Collect sucessfull file system mounts." AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -28,14 +29,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -43,18 +51,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.13_record_file_deletions.sh b/bin/hardening/4.1.13_record_file_deletions.sh index 1807ce7..8bc7b1d 100755 --- a/bin/hardening/4.1.13_record_file_deletions.sh +++ b/bin/hardening/4.1.13_record_file_deletions.sh @@ -19,7 +19,8 @@ DESCRIPTION="Collects file deletion events by users." AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -28,14 +29,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -43,18 +51,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.14_record_sudoers_edit.sh b/bin/hardening/4.1.14_record_sudoers_edit.sh index b7d4cb4..1e23023 100755 --- a/bin/hardening/4.1.14_record_sudoers_edit.sh +++ b/bin/hardening/4.1.14_record_sudoers_edit.sh @@ -19,7 +19,8 @@ DESCRIPTION="Collect changes to system administration scopre." AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers -w /etc/sudoers.d/ -p wa -k sudoers' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -28,14 +29,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -43,18 +51,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.15_record_sudo_usage.sh b/bin/hardening/4.1.15_record_sudo_usage.sh index 4759268..0e325c5 100755 --- a/bin/hardening/4.1.15_record_sudo_usage.sh +++ b/bin/hardening/4.1.15_record_sudo_usage.sh @@ -18,7 +18,8 @@ HARDENING_LEVEL=4 DESCRIPTION="Collect system administration actions (sudolog)." AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -27,14 +28,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -42,18 +50,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.16_record_kernel_modules.sh b/bin/hardening/4.1.16_record_kernel_modules.sh index 05eba6e..902aa61 100755 --- a/bin/hardening/4.1.16_record_kernel_modules.sh +++ b/bin/hardening/4.1.16_record_kernel_modules.sh @@ -21,7 +21,8 @@ AUDIT_PARAMS='-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -30,14 +31,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -45,18 +53,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.17_freeze_auditd_conf.sh b/bin/hardening/4.1.17_freeze_auditd_conf.sh index cec9a57..c367d21 100755 --- a/bin/hardening/4.1.17_freeze_auditd_conf.sh +++ b/bin/hardening/4.1.17_freeze_auditd_conf.sh @@ -18,7 +18,8 @@ HARDENING_LEVEL=4 DESCRIPTION="Make the audit configuration immutable." AUDIT_PARAMS='-e 2' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -27,14 +28,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -42,18 +50,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.3_record_date_time_edit.sh b/bin/hardening/4.1.3_record_date_time_edit.sh index e66fc50..2870eae 100755 --- a/bin/hardening/4.1.3_record_date_time_edit.sh +++ b/bin/hardening/4.1.3_record_date_time_edit.sh @@ -22,7 +22,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-cha -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -31,14 +32,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -46,18 +54,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.4_record_user_group_edit.sh b/bin/hardening/4.1.4_record_user_group_edit.sh index 22adf8c..429c5f2 100755 --- a/bin/hardening/4.1.4_record_user_group_edit.sh +++ b/bin/hardening/4.1.4_record_user_group_edit.sh @@ -22,7 +22,8 @@ AUDIT_PARAMS='-w /etc/group -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -31,14 +32,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -46,18 +54,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.5_record_network_edit.sh b/bin/hardening/4.1.5_record_network_edit.sh index 6a249f8..2f47aee 100755 --- a/bin/hardening/4.1.5_record_network_edit.sh +++ b/bin/hardening/4.1.5_record_network_edit.sh @@ -23,7 +23,8 @@ AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k syst -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -32,14 +33,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -47,18 +55,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.6_record_mac_edit.sh b/bin/hardening/4.1.6_record_mac_edit.sh index bbddeb4..24c7076 100755 --- a/bin/hardening/4.1.6_record_mac_edit.sh +++ b/bin/hardening/4.1.6_record_mac_edit.sh @@ -18,7 +18,8 @@ HARDENING_LEVEL=4 DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)." AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -27,14 +28,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -42,18 +50,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.7_record_login_logout.sh b/bin/hardening/4.1.7_record_login_logout.sh index 6a85605..687584f 100755 --- a/bin/hardening/4.1.7_record_login_logout.sh +++ b/bin/hardening/4.1.7_record_login_logout.sh @@ -20,7 +20,8 @@ DESCRIPTION="Collect login and logout events." AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -29,14 +30,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -44,18 +52,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.8_record_session_init.sh b/bin/hardening/4.1.8_record_session_init.sh index 5e422ee..896d15c 100755 --- a/bin/hardening/4.1.8_record_session_init.sh +++ b/bin/hardening/4.1.8_record_session_init.sh @@ -20,7 +20,8 @@ DESCRIPTION="Collec sessions initiation information." AUDIT_PARAMS='-w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -29,14 +30,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -44,18 +52,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/bin/hardening/4.1.9_record_dac_edit.sh b/bin/hardening/4.1.9_record_dac_edit.sh index 4a38419..475b287 100755 --- a/bin/hardening/4.1.9_record_dac_edit.sh +++ b/bin/hardening/4.1.9_record_dac_edit.sh @@ -23,7 +23,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' -FILE='/etc/audit/audit.rules' +FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules' +FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode audit() { @@ -32,14 +33,21 @@ audit() { c_IFS=$'\n' IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" IFS=$d_IFS - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - IFS=$c_IFS - if [ "$FNRET" != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH" fi done IFS=$d_IFS @@ -47,18 +55,31 @@ audit() { # This function will be called if the script status is on enabled mode apply() { - IFS=$'\n' + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS for AUDIT_VALUE in $AUDIT_PARAMS; do - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE" - if [ "$FNRET" != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" + debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH" + IFS=$d_IFS + SEARCH_RES=0 + for FILE_SEARCHED in $FILES_TO_SEARCH; do + does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE" + IFS=$c_IFS + if [ "$FNRET" != 0 ]; then + debug "$AUDIT_VALUE is not in file $FILE_SEARCHED" + else + ok "$AUDIT_VALUE is present in $FILE_SEARCHED" + SEARCH_RES=1 + fi + done + if [ "$SEARCH_RES" = 0 ]; then + warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE" add_end_of_file "$FILE" "$AUDIT_VALUE" eval "$(pkill -HUP -P 1 auditd)" - else - ok "$AUDIT_VALUE is present in $FILE" fi done + IFS=$d_IFS } # This function will check config parameters required diff --git a/tests/hardening/4.1.10_record_failed_access_file.sh b/tests/hardening/4.1.10_record_failed_access_file.sh index 39aea0b..75adaaf 100644 --- a/tests/hardening/4.1.10_record_failed_access_file.sh +++ b/tests/hardening/4.1.10_record_failed_access_file.sh @@ -13,10 +13,10 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.12_record_successful_mount.sh b/tests/hardening/4.1.12_record_successful_mount.sh index 246e400..60fb561 100644 --- a/tests/hardening/4.1.12_record_successful_mount.sh +++ b/tests/hardening/4.1.12_record_successful_mount.sh @@ -13,7 +13,7 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.13_record_file_deletions.sh b/tests/hardening/4.1.13_record_file_deletions.sh index 089d35e..0d0abde 100644 --- a/tests/hardening/4.1.13_record_file_deletions.sh +++ b/tests/hardening/4.1.13_record_file_deletions.sh @@ -13,7 +13,7 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.14_record_sudoers_edit.sh b/tests/hardening/4.1.14_record_sudoers_edit.sh index 7cd8c4c..6507a58 100644 --- a/tests/hardening/4.1.14_record_sudoers_edit.sh +++ b/tests/hardening/4.1.14_record_sudoers_edit.sh @@ -13,7 +13,7 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.15_record_sudo_usage.sh b/tests/hardening/4.1.15_record_sudo_usage.sh index 0c17e0f..5846675 100644 --- a/tests/hardening/4.1.15_record_sudo_usage.sh +++ b/tests/hardening/4.1.15_record_sudo_usage.sh @@ -13,6 +13,6 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.16_record_kernel_modules.sh b/tests/hardening/4.1.16_record_kernel_modules.sh index d2522a4..d8fdd8b 100644 --- a/tests/hardening/4.1.16_record_kernel_modules.sh +++ b/tests/hardening/4.1.16_record_kernel_modules.sh @@ -13,8 +13,8 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.17_freeze_auditd_conf.sh b/tests/hardening/4.1.17_freeze_auditd_conf.sh index 6b4c17f..037dcc6 100644 --- a/tests/hardening/4.1.17_freeze_auditd_conf.sh +++ b/tests/hardening/4.1.17_freeze_auditd_conf.sh @@ -13,6 +13,6 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -e 2 is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -e 2 is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.3_record_date_time_edit.sh b/tests/hardening/4.1.3_record_date_time_edit.sh index 2ada4f6..9f197a3 100644 --- a/tests/hardening/4.1.3_record_date_time_edit.sh +++ b/tests/hardening/4.1.3_record_date_time_edit.sh @@ -13,10 +13,10 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.4_record_user_group_edit.sh b/tests/hardening/4.1.4_record_user_group_edit.sh index 08e699a..a3d95e1 100644 --- a/tests/hardening/4.1.4_record_user_group_edit.sh +++ b/tests/hardening/4.1.4_record_user_group_edit.sh @@ -13,10 +13,10 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.5_record_network_edit.sh b/tests/hardening/4.1.5_record_network_edit.sh index 68bb326..87a9bb8 100644 --- a/tests/hardening/4.1.5_record_network_edit.sh +++ b/tests/hardening/4.1.5_record_network_edit.sh @@ -13,12 +13,12 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.6_record_mac_edit.sh b/tests/hardening/4.1.6_record_mac_edit.sh index b0c0236..fad193f 100644 --- a/tests/hardening/4.1.6_record_mac_edit.sh +++ b/tests/hardening/4.1.6_record_mac_edit.sh @@ -13,6 +13,6 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.7_record_login_logout.sh b/tests/hardening/4.1.7_record_login_logout.sh index f13729f..66def85 100644 --- a/tests/hardening/4.1.7_record_login_logout.sh +++ b/tests/hardening/4.1.7_record_login_logout.sh @@ -13,8 +13,8 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.8_record_session_init.sh b/tests/hardening/4.1.8_record_session_init.sh index 2240abf..5526bea 100644 --- a/tests/hardening/4.1.8_record_session_init.sh +++ b/tests/hardening/4.1.8_record_session_init.sh @@ -13,8 +13,8 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all } diff --git a/tests/hardening/4.1.9_record_dac_edit.sh b/tests/hardening/4.1.9_record_dac_edit.sh index af5baf0..c2362a4 100644 --- a/tests/hardening/4.1.9_record_dac_edit.sh +++ b/tests/hardening/4.1.9_record_dac_edit.sh @@ -13,11 +13,11 @@ test_audit() { describe Checking resolved state register_test retvalshouldbe 0 - register_test contain "[ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" - register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules" + register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules" run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all }