mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-24 22:41:24 +01:00
parent
f28ffc244c
commit
bd27cd0dae
@ -21,7 +21,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate
|
|||||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
|
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -30,14 +31,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -45,18 +53,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -21,7 +21,8 @@ SUDO_CMD='sudo -n'
|
|||||||
# Find all files with setuid or setgid set
|
# Find all files with setuid or setgid set
|
||||||
AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
|
AUDIT_PARAMS=$($SUDO_CMD find / -xdev -ignore_readdir_race \( -perm -4000 -o -perm -2000 \) -type f |
|
||||||
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
|
awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }')
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -30,14 +31,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -45,18 +53,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -19,7 +19,8 @@ DESCRIPTION="Collect sucessfull file system mounts."
|
|||||||
|
|
||||||
AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
|
AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
|
||||||
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
|
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -28,14 +29,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -43,18 +51,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -19,7 +19,8 @@ DESCRIPTION="Collects file deletion events by users."
|
|||||||
|
|
||||||
AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
|
AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
|
||||||
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
|
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -28,14 +29,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -43,18 +51,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -19,7 +19,8 @@ DESCRIPTION="Collect changes to system administration scopre."
|
|||||||
|
|
||||||
AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
|
AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers
|
||||||
-w /etc/sudoers.d/ -p wa -k sudoers'
|
-w /etc/sudoers.d/ -p wa -k sudoers'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -28,14 +29,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -43,18 +51,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -18,7 +18,8 @@ HARDENING_LEVEL=4
|
|||||||
DESCRIPTION="Collect system administration actions (sudolog)."
|
DESCRIPTION="Collect system administration actions (sudolog)."
|
||||||
|
|
||||||
AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
|
AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -27,14 +28,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -42,18 +50,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -21,7 +21,8 @@ AUDIT_PARAMS='-w /sbin/insmod -p x -k modules
|
|||||||
-w /sbin/rmmod -p x -k modules
|
-w /sbin/rmmod -p x -k modules
|
||||||
-w /sbin/modprobe -p x -k modules
|
-w /sbin/modprobe -p x -k modules
|
||||||
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
|
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -30,14 +31,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -45,18 +53,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -18,7 +18,8 @@ HARDENING_LEVEL=4
|
|||||||
DESCRIPTION="Make the audit configuration immutable."
|
DESCRIPTION="Make the audit configuration immutable."
|
||||||
|
|
||||||
AUDIT_PARAMS='-e 2'
|
AUDIT_PARAMS='-e 2'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -27,14 +28,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -42,18 +50,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -22,7 +22,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-cha
|
|||||||
-a always,exit -F arch=b64 -S clock_settime -k time-change
|
-a always,exit -F arch=b64 -S clock_settime -k time-change
|
||||||
-a always,exit -F arch=b32 -S clock_settime -k time-change
|
-a always,exit -F arch=b32 -S clock_settime -k time-change
|
||||||
-w /etc/localtime -p wa -k time-change'
|
-w /etc/localtime -p wa -k time-change'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -31,14 +32,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -46,18 +54,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -22,7 +22,8 @@ AUDIT_PARAMS='-w /etc/group -p wa -k identity
|
|||||||
-w /etc/gshadow -p wa -k identity
|
-w /etc/gshadow -p wa -k identity
|
||||||
-w /etc/shadow -p wa -k identity
|
-w /etc/shadow -p wa -k identity
|
||||||
-w /etc/security/opasswd -p wa -k identity'
|
-w /etc/security/opasswd -p wa -k identity'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -31,14 +32,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -46,18 +54,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -23,7 +23,8 @@ AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k syst
|
|||||||
-w /etc/issue.net -p wa -k system-locale
|
-w /etc/issue.net -p wa -k system-locale
|
||||||
-w /etc/hosts -p wa -k system-locale
|
-w /etc/hosts -p wa -k system-locale
|
||||||
-w /etc/network -p wa -k system-locale'
|
-w /etc/network -p wa -k system-locale'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -32,14 +33,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -47,18 +55,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -18,7 +18,8 @@ HARDENING_LEVEL=4
|
|||||||
DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
|
DESCRIPTION="Record events that modify the system's mandatory access controls (MAC)."
|
||||||
|
|
||||||
AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
|
AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -27,14 +28,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -42,18 +50,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -20,7 +20,8 @@ DESCRIPTION="Collect login and logout events."
|
|||||||
AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
|
AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins
|
||||||
-w /var/log/lastlog -p wa -k logins
|
-w /var/log/lastlog -p wa -k logins
|
||||||
-w /var/log/tallylog -p wa -k logins'
|
-w /var/log/tallylog -p wa -k logins'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -29,14 +30,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -44,18 +52,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -20,7 +20,8 @@ DESCRIPTION="Collec sessions initiation information."
|
|||||||
AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
|
AUDIT_PARAMS='-w /var/run/utmp -p wa -k session
|
||||||
-w /var/log/wtmp -p wa -k session
|
-w /var/log/wtmp -p wa -k session
|
||||||
-w /var/log/btmp -p wa -k session'
|
-w /var/log/btmp -p wa -k session'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -29,14 +30,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -44,18 +52,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -23,7 +23,8 @@ AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>
|
|||||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||||
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod'
|
||||||
FILE='/etc/audit/audit.rules'
|
FILES_TO_SEARCH='/etc/audit/audit.rules /etc/audit/rules.d/audit.rules'
|
||||||
|
FILE='/etc/audit/rules.d/audit.rules'
|
||||||
|
|
||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit() {
|
audit() {
|
||||||
@ -32,14 +33,21 @@ audit() {
|
|||||||
c_IFS=$'\n'
|
c_IFS=$'\n'
|
||||||
IFS=$c_IFS
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
SEARCH_RES=0
|
||||||
IFS=$c_IFS
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
if [ "$FNRET" != 0 ]; then
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
crit "$AUDIT_VALUE is not in file $FILE"
|
IFS=$c_IFS
|
||||||
else
|
if [ "$FNRET" != 0 ]; then
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
crit "$AUDIT_VALUE is not present in $FILES_TO_SEARCH"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
IFS=$d_IFS
|
IFS=$d_IFS
|
||||||
@ -47,18 +55,31 @@ audit() {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply() {
|
apply() {
|
||||||
IFS=$'\n'
|
# define custom IFS and save default one
|
||||||
|
d_IFS=$IFS
|
||||||
|
c_IFS=$'\n'
|
||||||
|
IFS=$c_IFS
|
||||||
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
for AUDIT_VALUE in $AUDIT_PARAMS; do
|
||||||
debug "$AUDIT_VALUE should be in file $FILE"
|
debug "$AUDIT_VALUE should be in file $FILES_TO_SEARCH"
|
||||||
does_pattern_exist_in_file "$FILE" "$AUDIT_VALUE"
|
IFS=$d_IFS
|
||||||
if [ "$FNRET" != 0 ]; then
|
SEARCH_RES=0
|
||||||
warn "$AUDIT_VALUE is not in file $FILE, adding it"
|
for FILE_SEARCHED in $FILES_TO_SEARCH; do
|
||||||
|
does_pattern_exist_in_file "$FILE_SEARCHED" "$AUDIT_VALUE"
|
||||||
|
IFS=$c_IFS
|
||||||
|
if [ "$FNRET" != 0 ]; then
|
||||||
|
debug "$AUDIT_VALUE is not in file $FILE_SEARCHED"
|
||||||
|
else
|
||||||
|
ok "$AUDIT_VALUE is present in $FILE_SEARCHED"
|
||||||
|
SEARCH_RES=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$SEARCH_RES" = 0 ]; then
|
||||||
|
warn "$AUDIT_VALUE is not present in $FILES_TO_SEARCH, adding it to $FILE"
|
||||||
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
add_end_of_file "$FILE" "$AUDIT_VALUE"
|
||||||
eval "$(pkill -HUP -P 1 auditd)"
|
eval "$(pkill -HUP -P 1 auditd)"
|
||||||
else
|
|
||||||
ok "$AUDIT_VALUE is present in $FILE"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
IFS=$d_IFS
|
||||||
}
|
}
|
||||||
|
|
||||||
# This function will check config parameters required
|
# This function will check config parameters required
|
||||||
|
@ -13,10 +13,10 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access is present in /etc/audit/rules.d/audit.rules"
|
||||||
|
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,7 +13,7 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,7 +13,7 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,7 +13,7 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/sudoers -p wa -k sudoers is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/sudoers.d/ -p wa -k sudoers is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,6 +13,6 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /var/log/auth.log -p wa -k sudoaction is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,8 +13,8 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /sbin/rmmod -p x -k modules is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /sbin/modprobe -p x -k modules is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S init_module -S delete_module -k modules is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,6 +13,6 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -e 2 is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -e 2 is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,10 +13,10 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S clock_settime -k time-change is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b32 -S clock_settime -k time-change is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/localtime -p wa -k time-change is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,10 +13,10 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/group -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/passwd -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/gshadow -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/shadow -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/security/opasswd -p wa -k identity is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,12 +13,12 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/issue -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/issue.net -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/hosts -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/network -p wa -k system-locale is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -13,6 +13,6 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /etc/selinux/ -p wa -k MAC-policy is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,8 +13,8 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /var/log/faillog -p wa -k logins is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /var/log/lastlog -p wa -k logins is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /var/log/tallylog -p wa -k logins is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,8 +13,8 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /var/run/utmp -p wa -k session is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /var/log/wtmp -p wa -k session is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -w /var/log/btmp -p wa -k session is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
@ -13,11 +13,11 @@ test_audit() {
|
|||||||
|
|
||||||
describe Checking resolved state
|
describe Checking resolved state
|
||||||
register_test retvalshouldbe 0
|
register_test retvalshouldbe 0
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
|
||||||
register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/audit.rules"
|
register_test contain "[ OK ] -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod is present in /etc/audit/rules.d/audit.rules"
|
||||||
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user