| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153 |
- #!/bin/bash
-
- case $1 in
- space_left_action)
- EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
- if [ $? -eq 0 ];then
- ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
- if [ "${ACTION,,}" != "email" ];then
- exit 1
- fi
- else
- exit 1
- fi
- ;;
- num_logs)
- EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
- if [ $? -eq 0 ];then
- if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}') -$2 $3 ];then
- exit 1
- fi
- else
- exit 1
- fi
- ;;
- max_log_file)
- EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1=)
- if [ $? -eq 0 ];then
- if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1= | awk -F '=' '{print $2}') -$2 $3 ];then
- exit 1
- fi
- else
- exit 1
- fi
- ;;
- max_log_file_action)
- EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
- if [ $? -eq 0 ];then
- ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
- if [ "${ACTION,,}" != "rotate" ];then
- exit 1
- fi
- else
- exit 1
- fi
- ;;
- admin_space_left_action)
- EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
- if [ $? -eq 0 ];then
- ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
- if [ "${ACTION,,}" != "single" ];then
- exit 1
- fi
- else
- exit 1
- fi
- ;;
- account)
- if ! auditctl -l | grep "/etc/passwd" ;then
- exit 1
- elif ! auditctl -l | grep "/etc/shadow";then
- exit 1
- elif ! auditctl -l | grep "/etc/group";then
- exit 1
- elif ! auditctl -l | grep "/etc/gshadow";then
- exit 1
- elif ! auditctl -l | grep "/etc/security/opasswd";then
- exit 1
- fi
- ;;
- network)
- if ! auditctl -l | grep "sethostname" ;then
- exit 1
- elif ! auditctl -l | grep "setdomainname";then
- exit 1
- elif ! auditctl -l | grep "/etc/issue.net";then
- exit 1
- elif ! auditctl -l | grep "/etc/hosts";then
- exit 1
- elif ! auditctl -l | grep "/etc/sysconfig";then
- exit 1
- elif ! auditctl -l | grep "network";then
- exit 1
- fi
- ;;
- apparmor-config)
- if ! auditctl -l | grep "/etc/apparmor/" ;then
- exit 1
- elif ! auditctl -l | grep "/etc/apparmor.d/";then
- exit 1
- fi
- ;;
- failed-access-files-programs)
- if ! auditctl -l | grep "EACCES" ;then
- exit 1
- elif ! auditctl -l | grep "EPERM";then
- exit 1
- fi
- ;;
- setuid-setgid)
- find / -xdev -type f -perm /6000 2>/dev/null | while read line;do
- if ! auditctl -l | grep "$line" ;then
- exit 1
- fi
- done
- ;;
- deletions)
- if ! auditctl -l | grep "rmdir" ;then
- exit 1
- elif ! auditctl -l | grep "unlink";then
- exit 1
- elif ! auditctl -l | grep "unlinkat";then
- exit 1
- elif ! auditctl -l | grep "rename";then
- exit 1
- elif ! auditctl -l | grep "renameat";then
- exit 1
- fi
- ;;
- kernel-modules)
- if ! auditctl -l | egrep -e "(-w |-F path=)/sbin/insmod";then
- exit 1
- elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/rmmod";then
- exit 1
- elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/modprobe";then
- exit 1
- elif ! auditctl -l | grep -w "init_module";then
- exit 1
- elif ! auditctl -l | grep -w "delete_module";then
- exit 1
- fi
- ;;
- action_mail_acct)
- EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
- if [ $? -eq 0 ];then
- ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
- if [ "${ACCOUNT,,}" != "root" ];then
- exit 1
- fi
- else
- exit 1
- fi
- ;;
- disk_full_action)
- if grep -i "disk_full_action.*ignore\|disk_full_action.*suspend" /etc/audit/auditd.conf;then
- exit 1
- fi
- ;;
- disk_error_action)
- if grep -i "disk_error_action.*ignore\|disk_error_action.*suspend" /etc/audit/auditd.conf;then
- exit 1
- fi
- ;;
- esac
|
