fix: change auditd file rule remediation (#179)

Fixes #165
This commit is contained in:
GoldenKiwi
2023-05-05 12:32:22 +02:00
committed by GitHub
parent f28ffc244c
commit bd27cd0dae
29 changed files with 584 additions and 269 deletions

View File

@ -18,7 +18,8 @@ HARDENING_LEVEL=4
DESCRIPTION="Make the audit configuration immutable."
AUDIT_PARAMS='-e 2'
FILE='/etc/audit/audit.rules'
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
FILE='/etc/audit/rules.d/audit.rules'
# This function will be called if the script status is on enabled / audit mode
audit() {
@ -27,14 +28,21 @@ audit() {
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
crit "$AUDIT_VALUE is not in file $FILE"
else
ok "$AUDIT_VALUE is present in $FILE"
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
fi
done
IFS=$d_IFS
@ -42,18 +50,31 @@ audit() {
# This function will be called if the script status is on enabled mode
apply() {
IFS=$'\n'
# define custom IFS and save default one
d_IFS=$IFS
c_IFS=$'\n'
IFS=$c_IFS
for AUDIT_VALUE in $AUDIT_PARAMS; do
debug "$AUDIT_VALUE should be in file $FILE"
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
if [ "$FNRET" != 0 ]; then
warn "$AUDIT_VALUE is not in file $FILE, adding it"
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
IFS=$d_IFS
SEARCH_RES=0
for FILE_SEARCHED in $FILES_TO_SEARCH; do
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
IFS=$c_IFS
if [ "$FNRET" != 0 ]; then
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
else
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
SEARCH_RES=1
fi
done
if [ "$SEARCH_RES" = 0 ]; then
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
add_end_of_file "$FILE" "$AUDIT_VALUE"
eval "$(pkill -HUP -P 1 auditd)"
else
ok "$AUDIT_VALUE is present in $FILE"
fi
done
IFS=$d_IFS
}
# This function will check config parameters required