154 lines
6.6 KiB
Bash
154 lines
6.6 KiB
Bash
#!/bin/bash
|
|
|
|
case $1 in
|
|
space_left_action)
|
|
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
|
if [ $? -eq 0 ];then
|
|
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
|
|
if [ "${ACTION,,}" != "email" ];then
|
|
exit 1
|
|
fi
|
|
else
|
|
exit 1
|
|
fi
|
|
;;
|
|
num_logs)
|
|
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
|
if [ $? -eq 0 ];then
|
|
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}') -$2 $3 ];then
|
|
exit 1
|
|
fi
|
|
else
|
|
exit 1
|
|
fi
|
|
;;
|
|
max_log_file)
|
|
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1=)
|
|
if [ $? -eq 0 ];then
|
|
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1= | awk -F '=' '{print $2}') -$2 $3 ];then
|
|
exit 1
|
|
fi
|
|
else
|
|
exit 1
|
|
fi
|
|
;;
|
|
max_log_file_action)
|
|
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
|
if [ $? -eq 0 ];then
|
|
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
|
|
if [ "${ACTION,,}" != "rotate" ];then
|
|
exit 1
|
|
fi
|
|
else
|
|
exit 1
|
|
fi
|
|
;;
|
|
admin_space_left_action)
|
|
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
|
if [ $? -eq 0 ];then
|
|
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
|
|
if [ "${ACTION,,}" != "single" ];then
|
|
exit 1
|
|
fi
|
|
else
|
|
exit 1
|
|
fi
|
|
;;
|
|
account)
|
|
if ! auditctl -l | grep "/etc/passwd" ;then
|
|
exit 1
|
|
elif ! auditctl -l | grep "/etc/shadow";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "/etc/group";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "/etc/gshadow";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "/etc/security/opasswd";then
|
|
exit 1
|
|
fi
|
|
;;
|
|
network)
|
|
if ! auditctl -l | grep "sethostname" ;then
|
|
exit 1
|
|
elif ! auditctl -l | grep "setdomainname";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "/etc/issue.net";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "/etc/hosts";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "/etc/sysconfig";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "network";then
|
|
exit 1
|
|
fi
|
|
;;
|
|
apparmor-config)
|
|
if ! auditctl -l | grep "/etc/apparmor/" ;then
|
|
exit 1
|
|
elif ! auditctl -l | grep "/etc/apparmor.d/";then
|
|
exit 1
|
|
fi
|
|
;;
|
|
failed-access-files-programs)
|
|
if ! auditctl -l | grep "EACCES" ;then
|
|
exit 1
|
|
elif ! auditctl -l | grep "EPERM";then
|
|
exit 1
|
|
fi
|
|
;;
|
|
setuid-setgid)
|
|
find / -xdev -type f -perm /6000 2>/dev/null | while read line;do
|
|
if ! auditctl -l | grep "$line" ;then
|
|
exit 1
|
|
fi
|
|
done
|
|
;;
|
|
deletions)
|
|
if ! auditctl -l | grep "rmdir" ;then
|
|
exit 1
|
|
elif ! auditctl -l | grep "unlink";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "unlinkat";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "rename";then
|
|
exit 1
|
|
elif ! auditctl -l | grep "renameat";then
|
|
exit 1
|
|
fi
|
|
;;
|
|
kernel-modules)
|
|
if ! auditctl -l | egrep -e "(-w |-F path=)/sbin/insmod";then
|
|
exit 1
|
|
elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/rmmod";then
|
|
exit 1
|
|
elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/modprobe";then
|
|
exit 1
|
|
elif ! auditctl -l | grep -w "init_module";then
|
|
exit 1
|
|
elif ! auditctl -l | grep -w "delete_module";then
|
|
exit 1
|
|
fi
|
|
;;
|
|
action_mail_acct)
|
|
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
|
if [ $? -eq 0 ];then
|
|
ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
|
|
if [ "${ACCOUNT,,}" != "root" ];then
|
|
exit 1
|
|
fi
|
|
else
|
|
exit 1
|
|
fi
|
|
;;
|
|
disk_full_action)
|
|
if grep -i "disk_full_action.*ignore\|disk_full_action.*suspend" /etc/audit/auditd.conf;then
|
|
exit 1
|
|
fi
|
|
;;
|
|
disk_error_action)
|
|
if grep -i "disk_error_action.*ignore\|disk_error_action.*suspend" /etc/audit/auditd.conf;then
|
|
exit 1
|
|
fi
|
|
;;
|
|
esac
|