freedombone/tests/check-auditd.sh

#!/bin/bash

case $1 in
        space_left_action)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
                        if [ "${ACTION,,}" != "email" ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        num_logs)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}') -$2 $3 ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        max_log_file)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1=)
                if [ $? -eq 0 ];then
                        if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1= | awk -F '=' '{print $2}') -$2 $3 ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        max_log_file_action)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
                        if [ "${ACTION,,}" != "rotate" ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        admin_space_left_action)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
                        if [ "${ACTION,,}" != "single" ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        account)
                if ! auditctl -l | grep "/etc/passwd" ;then
                        exit 1
                elif ! auditctl -l | grep "/etc/shadow";then
                        exit 1
                elif ! auditctl -l | grep "/etc/group";then
                        exit 1
                elif ! auditctl -l | grep "/etc/gshadow";then
                        exit 1
                elif ! auditctl -l | grep "/etc/security/opasswd";then
                        exit 1
                fi
        ;;
        network)
                if ! auditctl -l | grep "sethostname" ;then
                        exit 1
                elif ! auditctl -l | grep "setdomainname";then
                        exit 1
                elif ! auditctl -l | grep "/etc/issue.net";then
                        exit 1
                elif ! auditctl -l | grep "/etc/hosts";then
                        exit 1
                elif ! auditctl -l | grep "/etc/sysconfig";then
                        exit 1
                elif ! auditctl -l | grep "network";then
                        exit 1
                fi
        ;;
        apparmor-config)
                if ! auditctl -l | grep "/etc/apparmor/" ;then
                        exit 1
                elif ! auditctl -l | grep "/etc/apparmor.d/";then
                        exit 1
                fi
        ;;
        failed-access-files-programs)
                if ! auditctl -l | grep "EACCES" ;then
                        exit 1
                elif ! auditctl -l | grep "EPERM";then
                        exit 1
                fi
        ;;
        setuid-setgid)
                find / -xdev -type f -perm /6000 2>/dev/null | while read line;do
                        if ! auditctl -l | grep "$line" ;then
                                exit 1
                        fi
                done
        ;;
        deletions)
                if ! auditctl -l | grep "rmdir" ;then
                        exit 1
                elif ! auditctl -l | grep "unlink";then
                        exit 1
                elif ! auditctl -l | grep "unlinkat";then
                        exit 1
                elif ! auditctl -l | grep "rename";then
                        exit 1
                elif ! auditctl -l | grep "renameat";then
                        exit 1
                fi
        ;;
        kernel-modules)
                if ! auditctl -l | egrep -e "(-w |-F path=)/sbin/insmod";then
                        exit 1
                elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/rmmod";then
                        exit 1
                elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/modprobe";then
                        exit 1
                elif ! auditctl -l | grep -w "init_module";then
                        exit 1
                elif ! auditctl -l | grep -w "delete_module";then
                        exit 1
                fi
        ;;
        action_mail_acct)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
                        if [ "${ACCOUNT,,}" != "root" ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        disk_full_action)
                if grep -i "disk_full_action.*ignore\|disk_full_action.*suspend" /etc/audit/auditd.conf;then
                        exit 1
                fi
        ;;
        disk_error_action)
                if grep -i "disk_error_action.*ignore\|disk_error_action.*suspend" /etc/audit/auditd.conf;then
                        exit 1
                fi
        ;;
esac
Security Technical Implementation Guide tests based upon RHEL/hardenedlinux 2016-11-29 13:37:48 +01:00			`#!/bin/bash`

			`case $1 in`
			`space_left_action)`
			`EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1)`
			`if [ $? -eq 0 ];then`
			`ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1 \| awk -F '=' '{print $2}')`
			`if [ "${ACTION,,}" != "email" ];then`
			`exit 1`
			`fi`
			`else`
			`exit 1`
			`fi`
			`;;`
			`num_logs)`
			`EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1)`
			`if [ $? -eq 0 ];then`
			`if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1 \| awk -F '=' '{print $2}') -$2 $3 ];then`
			`exit 1`
			`fi`
			`else`
			`exit 1`
			`fi`
			`;;`
			`max_log_file)`
			`EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1=)`
			`if [ $? -eq 0 ];then`
			`if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1= \| awk -F '=' '{print $2}') -$2 $3 ];then`
			`exit 1`
			`fi`
			`else`
			`exit 1`
			`fi`
			`;;`
			`max_log_file_action)`
			`EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1)`
			`if [ $? -eq 0 ];then`
			`ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1 \| awk -F '=' '{print $2}')`
			`if [ "${ACTION,,}" != "rotate" ];then`
			`exit 1`
			`fi`
			`else`
			`exit 1`
			`fi`
			`;;`
			`admin_space_left_action)`
			`EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1)`
			`if [ $? -eq 0 ];then`
			`ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1 \| awk -F '=' '{print $2}')`
			`if [ "${ACTION,,}" != "single" ];then`
			`exit 1`
			`fi`
			`else`
			`exit 1`
			`fi`
			`;;`
			`account)`
			`if ! auditctl -l \| grep "/etc/passwd" ;then`
			`exit 1`
			`elif ! auditctl -l \| grep "/etc/shadow";then`
			`exit 1`
			`elif ! auditctl -l \| grep "/etc/group";then`
			`exit 1`
			`elif ! auditctl -l \| grep "/etc/gshadow";then`
			`exit 1`
			`elif ! auditctl -l \| grep "/etc/security/opasswd";then`
			`exit 1`
			`fi`
			`;;`
			`network)`
			`if ! auditctl -l \| grep "sethostname" ;then`
			`exit 1`
			`elif ! auditctl -l \| grep "setdomainname";then`
			`exit 1`
			`elif ! auditctl -l \| grep "/etc/issue.net";then`
			`exit 1`
			`elif ! auditctl -l \| grep "/etc/hosts";then`
			`exit 1`
			`elif ! auditctl -l \| grep "/etc/sysconfig";then`
			`exit 1`
			`elif ! auditctl -l \| grep "network";then`
			`exit 1`
			`fi`
			`;;`
			`apparmor-config)`
			`if ! auditctl -l \| grep "/etc/apparmor/" ;then`
			`exit 1`
			`elif ! auditctl -l \| grep "/etc/apparmor.d/";then`
			`exit 1`
			`fi`
			`;;`
			`failed-access-files-programs)`
			`if ! auditctl -l \| grep "EACCES" ;then`
			`exit 1`
			`elif ! auditctl -l \| grep "EPERM";then`
			`exit 1`
			`fi`
			`;;`
			`setuid-setgid)`
			`find / -xdev -type f -perm /6000 2>/dev/null \| while read line;do`
			`if ! auditctl -l \| grep "$line" ;then`
			`exit 1`
			`fi`
			`done`
			`;;`
			`deletions)`
			`if ! auditctl -l \| grep "rmdir" ;then`
			`exit 1`
			`elif ! auditctl -l \| grep "unlink";then`
			`exit 1`
			`elif ! auditctl -l \| grep "unlinkat";then`
			`exit 1`
			`elif ! auditctl -l \| grep "rename";then`
			`exit 1`
			`elif ! auditctl -l \| grep "renameat";then`
			`exit 1`
			`fi`
			`;;`
			`kernel-modules)`
			`if ! auditctl -l \| egrep -e "(-w \|-F path=)/sbin/insmod";then`
			`exit 1`
			`elif ! auditctl -l \| egrep -e "(-w \|-F path=)/sbin/rmmod";then`
			`exit 1`
			`elif ! auditctl -l \| egrep -e "(-w \|-F path=)/sbin/modprobe";then`
			`exit 1`
			`elif ! auditctl -l \| grep -w "init_module";then`
			`exit 1`
			`elif ! auditctl -l \| grep -w "delete_module";then`
			`exit 1`
			`fi`
			`;;`
			`action_mail_acct)`
			`EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1)`
			`if [ $? -eq 0 ];then`
			`ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]#/d' -e 's/#.$//' -e '/^$/d' /etc/audit/auditd.conf \| sed -e 's/\ //'g \| grep $1 \| awk -F '=' '{print $2}')`
			`if [ "${ACCOUNT,,}" != "root" ];then`
			`exit 1`
			`fi`
			`else`
			`exit 1`
			`fi`
			`;;`
			`disk_full_action)`
			`if grep -i "disk_full_action.ignore\\|disk_full_action.suspend" /etc/audit/auditd.conf;then`
			`exit 1`
			`fi`
			`;;`
			`disk_error_action)`
			`if grep -i "disk_error_action.ignore\\|disk_error_action.suspend" /etc/audit/auditd.conf;then`
			`exit 1`
			`fi`
			`;;`
			`esac`