check-auditd.sh 6.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153
  1. #!/bin/bash
  2. case $1 in
  3. space_left_action)
  4. EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
  5. if [ $? -eq 0 ];then
  6. ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
  7. if [ "${ACTION,,}" != "email" ];then
  8. exit 1
  9. fi
  10. else
  11. exit 1
  12. fi
  13. ;;
  14. num_logs)
  15. EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
  16. if [ $? -eq 0 ];then
  17. if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}') -$2 $3 ];then
  18. exit 1
  19. fi
  20. else
  21. exit 1
  22. fi
  23. ;;
  24. max_log_file)
  25. EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1=)
  26. if [ $? -eq 0 ];then
  27. if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1= | awk -F '=' '{print $2}') -$2 $3 ];then
  28. exit 1
  29. fi
  30. else
  31. exit 1
  32. fi
  33. ;;
  34. max_log_file_action)
  35. EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
  36. if [ $? -eq 0 ];then
  37. ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
  38. if [ "${ACTION,,}" != "rotate" ];then
  39. exit 1
  40. fi
  41. else
  42. exit 1
  43. fi
  44. ;;
  45. admin_space_left_action)
  46. EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
  47. if [ $? -eq 0 ];then
  48. ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
  49. if [ "${ACTION,,}" != "single" ];then
  50. exit 1
  51. fi
  52. else
  53. exit 1
  54. fi
  55. ;;
  56. account)
  57. if ! auditctl -l | grep "/etc/passwd" ;then
  58. exit 1
  59. elif ! auditctl -l | grep "/etc/shadow";then
  60. exit 1
  61. elif ! auditctl -l | grep "/etc/group";then
  62. exit 1
  63. elif ! auditctl -l | grep "/etc/gshadow";then
  64. exit 1
  65. elif ! auditctl -l | grep "/etc/security/opasswd";then
  66. exit 1
  67. fi
  68. ;;
  69. network)
  70. if ! auditctl -l | grep "sethostname" ;then
  71. exit 1
  72. elif ! auditctl -l | grep "setdomainname";then
  73. exit 1
  74. elif ! auditctl -l | grep "/etc/issue.net";then
  75. exit 1
  76. elif ! auditctl -l | grep "/etc/hosts";then
  77. exit 1
  78. elif ! auditctl -l | grep "/etc/sysconfig";then
  79. exit 1
  80. elif ! auditctl -l | grep "network";then
  81. exit 1
  82. fi
  83. ;;
  84. apparmor-config)
  85. if ! auditctl -l | grep "/etc/apparmor/" ;then
  86. exit 1
  87. elif ! auditctl -l | grep "/etc/apparmor.d/";then
  88. exit 1
  89. fi
  90. ;;
  91. failed-access-files-programs)
  92. if ! auditctl -l | grep "EACCES" ;then
  93. exit 1
  94. elif ! auditctl -l | grep "EPERM";then
  95. exit 1
  96. fi
  97. ;;
  98. setuid-setgid)
  99. find / -xdev -type f -perm /6000 2>/dev/null | while read line;do
  100. if ! auditctl -l | grep "$line" ;then
  101. exit 1
  102. fi
  103. done
  104. ;;
  105. deletions)
  106. if ! auditctl -l | grep "rmdir" ;then
  107. exit 1
  108. elif ! auditctl -l | grep "unlink";then
  109. exit 1
  110. elif ! auditctl -l | grep "unlinkat";then
  111. exit 1
  112. elif ! auditctl -l | grep "rename";then
  113. exit 1
  114. elif ! auditctl -l | grep "renameat";then
  115. exit 1
  116. fi
  117. ;;
  118. kernel-modules)
  119. if ! auditctl -l | egrep -e "(-w |-F path=)/sbin/insmod";then
  120. exit 1
  121. elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/rmmod";then
  122. exit 1
  123. elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/modprobe";then
  124. exit 1
  125. elif ! auditctl -l | grep -w "init_module";then
  126. exit 1
  127. elif ! auditctl -l | grep -w "delete_module";then
  128. exit 1
  129. fi
  130. ;;
  131. action_mail_acct)
  132. EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
  133. if [ $? -eq 0 ];then
  134. ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
  135. if [ "${ACCOUNT,,}" != "root" ];then
  136. exit 1
  137. fi
  138. else
  139. exit 1
  140. fi
  141. ;;
  142. disk_full_action)
  143. if grep -i "disk_full_action.*ignore\|disk_full_action.*suspend" /etc/audit/auditd.conf;then
  144. exit 1
  145. fi
  146. ;;
  147. disk_error_action)
  148. if grep -i "disk_error_action.*ignore\|disk_error_action.*suspend" /etc/audit/auditd.conf;then
  149. exit 1
  150. fi
  151. ;;
  152. esac