fix: change auditd file rule remediation (#179)

Fixes #165
2025-06-24 03:24:34 +02:00 · 2023-05-05 12:32:22 +02:00
parent f28ffc244c
commit bd27cd0dae
29 changed files with 584 additions and 269 deletions
--- a/bin/hardening/4.1.11_record_privileged_commands.sh
+++ b/bin/hardening/4.1.11_record_privileged_commands.sh
@ -21,7 +21,8 @@ SUDO_CMD='sudo -n'
 # Find all files with setuid or setgid set
 AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
    awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
-FILE='/etc/audit/audit.rules'
+FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
+FILE='/etc/audit/rules.d/audit.rules'

 # This function will be called if the script status is on enabled / audit mode
 audit() {
@ -30,14 +31,21 @@ audit() {
    c_IFS=$'\n'
    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
        IFS=$d_IFS
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
-        IFS=$c_IFS
-        if [ "$FNRET" != 0 ]; then
-            crit "$AUDIT_VALUE is not in file $FILE"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
+            if [ "$FNRET" != 0 ]; then
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
+            else
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
        fi
    done
    IFS=$d_IFS
@ -45,18 +53,31 @@ audit() {

 # This function will be called if the script status is on enabled mode
 apply() {
-    IFS=$'\n'
+    # define custom IFS and save default one
+    d_IFS=$IFS
+    c_IFS=$'\n'
+    IFS=$c_IFS
    for AUDIT_VALUE in $AUDIT_PARAMS; do
-        debug "$AUDIT_VALUE should be in file $FILE"
-        does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
-        if [ "$FNRET" != 0 ]; then
-            warn "$AUDIT_VALUE is not in file $FILE, adding it"
+        debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
+        IFS=$d_IFS
+        SEARCH_RES=0
+        for FILE_SEARCHED in $FILES_TO_SEARCH; do
+            does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
+            IFS=$c_IFS
+            if [ "$FNRET" != 0 ]; then
+                debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
+            else
+                ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
+                SEARCH_RES=1
+            fi
+        done
+        if [ "$SEARCH_RES" = 0 ]; then
+            warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
            add_end_of_file "$FILE" "$AUDIT_VALUE"
            eval "$(pkill -HUP -P 1 auditd)"
-        else
-            ok "$AUDIT_VALUE is present in $FILE"
        fi
    done
+    IFS=$d_IFS
 }

 # This function will check config parameters required