#!/bin/bash

case $1 in
        space_left_action)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
                        if [ "${ACTION,,}" != "email" ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        num_logs)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}') -$2 $3 ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        max_log_file)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1=)
                if [ $? -eq 0 ];then
                        if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1= | awk -F '=' '{print $2}') -$2 $3 ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        max_log_file_action)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
                        if [ "${ACTION,,}" != "rotate" ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        admin_space_left_action)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
                        if [ "${ACTION,,}" != "single" ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        account)
                if ! auditctl -l | grep "/etc/passwd" ;then
                        exit 1
                elif ! auditctl -l | grep "/etc/shadow";then
                        exit 1
                elif ! auditctl -l | grep "/etc/group";then
                        exit 1
                elif ! auditctl -l | grep "/etc/gshadow";then
                        exit 1
                elif ! auditctl -l | grep "/etc/security/opasswd";then
                        exit 1
                fi
        ;;
        network)
                if ! auditctl -l | grep "sethostname" ;then
                        exit 1
                elif ! auditctl -l | grep "setdomainname";then
                        exit 1
                elif ! auditctl -l | grep "/etc/issue.net";then
                        exit 1
                elif ! auditctl -l | grep "/etc/hosts";then
                        exit 1
                elif ! auditctl -l | grep "/etc/sysconfig";then
                        exit 1
                elif ! auditctl -l | grep "network";then
                        exit 1
                fi
        ;;
        apparmor-config)
                if ! auditctl -l | grep "/etc/apparmor/" ;then
                        exit 1
                elif ! auditctl -l | grep "/etc/apparmor.d/";then
                        exit 1
                fi
        ;;
        failed-access-files-programs)
                if ! auditctl -l | grep "EACCES" ;then
                        exit 1
                elif ! auditctl -l | grep "EPERM";then
                        exit 1
                fi
        ;;
        setuid-setgid)
                find / -xdev -type f -perm /6000 2>/dev/null | while read line;do
                        if ! auditctl -l | grep "$line" ;then
                                exit 1
                        fi
                done
        ;;
        deletions)
                if ! auditctl -l | grep "rmdir" ;then
                        exit 1
                elif ! auditctl -l | grep "unlink";then
                        exit 1
                elif ! auditctl -l | grep "unlinkat";then
                        exit 1
                elif ! auditctl -l | grep "rename";then
                        exit 1
                elif ! auditctl -l | grep "renameat";then
                        exit 1
                fi
        ;;
        kernel-modules)
                if ! auditctl -l | egrep -e "(-w |-F path=)/sbin/insmod";then
                        exit 1
                elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/rmmod";then
                        exit 1
                elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/modprobe";then
                        exit 1
                elif ! auditctl -l | grep -w "init_module";then
                        exit 1
                elif ! auditctl -l | grep -w "delete_module";then
                        exit 1
                fi
        ;;
        action_mail_acct)
                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
                if [ $? -eq 0 ];then
                        ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
                        if [ "${ACCOUNT,,}" != "root" ];then
                            exit 1
                        fi
                else
                        exit 1
                fi
        ;;
        disk_full_action)
                if grep -i "disk_full_action.*ignore\|disk_full_action.*suspend" /etc/audit/auditd.conf;then
                        exit 1
                fi
        ;;
        disk_error_action)
                if grep -i "disk_error_action.*ignore\|disk_error_action.*suspend" /etc/audit/auditd.conf;then
                        exit 1
                fi
        ;;
esac