freedombone/tests/check-auditd.sh

154 lines
6.6 KiB
Bash
Raw Normal View History

#!/bin/bash
case $1 in
space_left_action)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
if [ "${ACTION,,}" != "email" ];then
exit 1
fi
else
exit 1
fi
;;
num_logs)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}') -$2 $3 ];then
exit 1
fi
else
exit 1
fi
;;
max_log_file)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1=)
if [ $? -eq 0 ];then
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1= | awk -F '=' '{print $2}') -$2 $3 ];then
exit 1
fi
else
exit 1
fi
;;
max_log_file_action)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
if [ "${ACTION,,}" != "rotate" ];then
exit 1
fi
else
exit 1
fi
;;
admin_space_left_action)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
if [ "${ACTION,,}" != "single" ];then
exit 1
fi
else
exit 1
fi
;;
account)
if ! auditctl -l | grep "/etc/passwd" ;then
exit 1
elif ! auditctl -l | grep "/etc/shadow";then
exit 1
elif ! auditctl -l | grep "/etc/group";then
exit 1
elif ! auditctl -l | grep "/etc/gshadow";then
exit 1
elif ! auditctl -l | grep "/etc/security/opasswd";then
exit 1
fi
;;
network)
if ! auditctl -l | grep "sethostname" ;then
exit 1
elif ! auditctl -l | grep "setdomainname";then
exit 1
elif ! auditctl -l | grep "/etc/issue.net";then
exit 1
elif ! auditctl -l | grep "/etc/hosts";then
exit 1
elif ! auditctl -l | grep "/etc/sysconfig";then
exit 1
elif ! auditctl -l | grep "network";then
exit 1
fi
;;
apparmor-config)
if ! auditctl -l | grep "/etc/apparmor/" ;then
exit 1
elif ! auditctl -l | grep "/etc/apparmor.d/";then
exit 1
fi
;;
failed-access-files-programs)
if ! auditctl -l | grep "EACCES" ;then
exit 1
elif ! auditctl -l | grep "EPERM";then
exit 1
fi
;;
setuid-setgid)
find / -xdev -type f -perm /6000 2>/dev/null | while read line;do
if ! auditctl -l | grep "$line" ;then
exit 1
fi
done
;;
deletions)
if ! auditctl -l | grep "rmdir" ;then
exit 1
elif ! auditctl -l | grep "unlink";then
exit 1
elif ! auditctl -l | grep "unlinkat";then
exit 1
elif ! auditctl -l | grep "rename";then
exit 1
elif ! auditctl -l | grep "renameat";then
exit 1
fi
;;
kernel-modules)
if ! auditctl -l | egrep -e "(-w |-F path=)/sbin/insmod";then
exit 1
elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/rmmod";then
exit 1
elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/modprobe";then
exit 1
elif ! auditctl -l | grep -w "init_module";then
exit 1
elif ! auditctl -l | grep -w "delete_module";then
exit 1
fi
;;
action_mail_acct)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
if [ "${ACCOUNT,,}" != "root" ];then
exit 1
fi
else
exit 1
fi
;;
disk_full_action)
if grep -i "disk_full_action.*ignore\|disk_full_action.*suspend" /etc/audit/auditd.conf;then
exit 1
fi
;;
disk_error_action)
if grep -i "disk_error_action.*ignore\|disk_error_action.*suspend" /etc/audit/auditd.conf;then
exit 1
fi
;;
esac