Skip to content

Commit f097fc8

Browse files
author
damien cavagnini
committed
add new debian12 scripts
 bin/hardening/audit_chacl.sh -> 6.3.3.17 bin/hardening/audit_chcon.sh -> 6.3.3.15 bin/hardening/audit_file_deletion.sh -> 6.3.3.13 bin/hardening/audit_setfacl.sh -> 6.3.3.16 bin/hardening/audit_sudo_log.sh -> 6.3.3.3 ?
1 parent 5e25306 commit f097fc8

File tree

11 files changed

+726
-1
lines changed

11 files changed

+726
-1
lines changed

bin/hardening/audit_chacl.sh

Lines changed: 121 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,121 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
#
9+
# Ensure use of chacl command is audited (Automated)
10+
#
11+
12+
set -e # One error, it's over
13+
set -u # One variable unset, it's over
14+
15+
# shellcheck disable=2034
16+
HARDENING_LEVEL=4
17+
# shellcheck disable=2034
18+
DESCRIPTION="Ensure audit rules for chacl command are configured."
19+
20+
AUDIT_RULES_FILE='/etc/audit/rules.d/50-perm_chng.rules'
21+
AUDIT_RULES_DIR='/etc/audit/rules.d'
22+
23+
# Global state
24+
AC_RULES_OK=1
25+
AC_UID_MIN=""
26+
27+
# This function will be called if the script status is on enabled / audit mode
28+
audit() {
29+
30+
# Get UID_MIN
31+
AC_UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
32+
if [ -z "$AC_UID_MIN" ]; then
33+
crit "Unable to determine UID_MIN from /etc/login.defs"
34+
return
35+
fi
36+
37+
# Check on disk configuration
38+
local l_ondisk_result
39+
l_ondisk_result=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${AC_UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" "$AUDIT_RULES_DIR"/*.rules 2>/dev/null || true)
40+
41+
# Check running configuration
42+
local l_running_result
43+
l_running_result=$($SUDO_CMD auditctl -l 2>/dev/null | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${AC_UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || true)
44+
45+
if [ -n "$l_ondisk_result" ] && [ -n "$l_running_result" ]; then
46+
ok "chacl audit rules are correctly configured on disk and running"
47+
AC_RULES_OK=0
48+
else
49+
if [ -z "$l_ondisk_result" ]; then
50+
crit "chacl audit rule not found in on-disk configuration"
51+
fi
52+
if [ -z "$l_running_result" ]; then
53+
crit "chacl audit rule not found in running configuration"
54+
fi
55+
AC_RULES_OK=1
56+
fi
57+
}
58+
59+
# This function will be called if the script status is on enabled mode
60+
apply() {
61+
if [ "$(id -u)" -ne 0 ]; then
62+
crit "This function must be run as root (current user: $(whoami))"
63+
return 1
64+
fi
65+
66+
if [ "$AC_RULES_OK" -eq 0 ]; then
67+
ok "chacl audit rules already correctly configured"
68+
return
69+
fi
70+
71+
if [ -z "$AC_UID_MIN" ]; then
72+
crit "Unable to determine UID_MIN, cannot apply"
73+
return
74+
fi
75+
76+
info "Configuring chacl audit rules"
77+
mkdir -p "$AUDIT_RULES_DIR"
78+
79+
# Remove any existing chacl rules to avoid duplicates
80+
if [ -f "$AUDIT_RULES_FILE" ]; then
81+
sed -i '/path=\/usr\/bin\/chacl/d' "$AUDIT_RULES_FILE"
82+
fi
83+
84+
# Create file with header if it doesn't exist
85+
if [ ! -f "$AUDIT_RULES_FILE" ]; then
86+
echo "## Permission modification" >"$AUDIT_RULES_FILE"
87+
fi
88+
89+
# Add the rule
90+
echo "-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=${AC_UID_MIN} -F auid!=unset -k perm_chng" >>"$AUDIT_RULES_FILE"
91+
92+
# Load the rules
93+
info "Loading audit rules"
94+
augenrules --load
95+
ok "chacl audit rules configured and loaded"
96+
}
97+
98+
# This function will check config parameters required
99+
check_config() {
100+
:
101+
}
102+
103+
# Source Root Dir Parameter
104+
if [ -r /etc/default/cis-hardening ]; then
105+
# shellcheck source=../../debian/default
106+
. /etc/default/cis-hardening
107+
fi
108+
if [ -z "${CIS_LIB_DIR}" ]; then
109+
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
110+
echo "Cannot source CIS_LIB_DIR variable, aborting."
111+
exit 128
112+
fi
113+
114+
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
115+
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
116+
# shellcheck source=../../lib/main.sh
117+
. "${CIS_LIB_DIR}"/main.sh
118+
else
119+
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is ${CIS_LIB_DIR} in /etc/default/cis-hardening"
120+
exit 128
121+
fi

bin/hardening/audit_chcon.sh

Lines changed: 121 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,121 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
#
9+
# Ensure use of chcon command is audited (Automated)
10+
#
11+
12+
set -e # One error, it's over
13+
set -u # One variable unset, it's over
14+
15+
# shellcheck disable=2034
16+
HARDENING_LEVEL=4
17+
# shellcheck disable=2034
18+
DESCRIPTION="Ensure audit rules for chcon command are configured."
19+
20+
AUDIT_RULES_FILE='/etc/audit/rules.d/50-perm_chng.rules'
21+
AUDIT_RULES_DIR='/etc/audit/rules.d'
22+
23+
# Global state
24+
ACO_RULES_OK=1
25+
ACO_UID_MIN=""
26+
27+
# This function will be called if the script status is on enabled / audit mode
28+
audit() {
29+
30+
# Get UID_MIN
31+
ACO_UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
32+
if [ -z "$ACO_UID_MIN" ]; then
33+
crit "Unable to determine UID_MIN from /etc/login.defs"
34+
return
35+
fi
36+
37+
# Check on disk configuration
38+
local l_ondisk_result
39+
l_ondisk_result=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${ACO_UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" "$AUDIT_RULES_DIR"/*.rules 2>/dev/null || true)
40+
41+
# Check running configuration
42+
local l_running_result
43+
l_running_result=$($SUDO_CMD auditctl -l 2>/dev/null | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${ACO_UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || true)
44+
45+
if [ -n "$l_ondisk_result" ] && [ -n "$l_running_result" ]; then
46+
ok "chcon audit rules are correctly configured on disk and running"
47+
ACO_RULES_OK=0
48+
else
49+
if [ -z "$l_ondisk_result" ]; then
50+
crit "chcon audit rule not found in on-disk configuration"
51+
fi
52+
if [ -z "$l_running_result" ]; then
53+
crit "chcon audit rule not found in running configuration"
54+
fi
55+
ACO_RULES_OK=1
56+
fi
57+
}
58+
59+
# This function will be called if the script status is on enabled mode
60+
apply() {
61+
if [ "$(id -u)" -ne 0 ]; then
62+
crit "This function must be run as root (current user: $(whoami))"
63+
return 1
64+
fi
65+
66+
if [ "$ACO_RULES_OK" -eq 0 ]; then
67+
ok "chcon audit rules already correctly configured"
68+
return
69+
fi
70+
71+
if [ -z "$ACO_UID_MIN" ]; then
72+
crit "Unable to determine UID_MIN, cannot apply"
73+
return
74+
fi
75+
76+
info "Configuring chcon audit rules"
77+
mkdir -p "$AUDIT_RULES_DIR"
78+
79+
# Remove any existing chcon rules to avoid duplicates
80+
if [ -f "$AUDIT_RULES_FILE" ]; then
81+
sed -i '/path=\/usr\/bin\/chcon/d' "$AUDIT_RULES_FILE"
82+
fi
83+
84+
# Create file with header if it doesn't exist
85+
if [ ! -f "$AUDIT_RULES_FILE" ]; then
86+
echo "## Permission modification" >"$AUDIT_RULES_FILE"
87+
fi
88+
89+
# Add the rule
90+
echo "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=${ACO_UID_MIN} -F auid!=unset -k perm_chng" >>"$AUDIT_RULES_FILE"
91+
92+
# Load the rules
93+
info "Loading audit rules"
94+
augenrules --load
95+
ok "chcon audit rules configured and loaded"
96+
}
97+
98+
# This function will check config parameters required
99+
check_config() {
100+
:
101+
}
102+
103+
# Source Root Dir Parameter
104+
if [ -r /etc/default/cis-hardening ]; then
105+
# shellcheck source=../../debian/default
106+
. /etc/default/cis-hardening
107+
fi
108+
if [ -z "${CIS_LIB_DIR}" ]; then
109+
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
110+
echo "Cannot source CIS_LIB_DIR variable, aborting."
111+
exit 128
112+
fi
113+
114+
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
115+
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
116+
# shellcheck source=../../lib/main.sh
117+
. "${CIS_LIB_DIR}"/main.sh
118+
else
119+
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is ${CIS_LIB_DIR} in /etc/default/cis-hardening"
120+
exit 128
121+
fi

bin/hardening/audit_file_deletion.sh

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
#!/bin/bash
2+
3+
# run-shellcheck
4+
#
5+
# CIS Debian Hardening
6+
#
7+
8+
#
9+
# Ensure file deletion events by users are collected
10+
#
11+
12+
set -e # One error, it's over
13+
set -u # One variable unset, it's over
14+
15+
# shellcheck disable=2034
16+
HARDENING_LEVEL=4
17+
# shellcheck disable=2034
18+
DESCRIPTION="Ensure file deletion events are audited"
19+
20+
AUDIT_RULES_FILE="/etc/audit/rules.d/50-delete.rules"
21+
AUDIT_RULES_DIR='/etc/audit/rules.d'
22+
23+
# Global state
24+
AFD_RULES_OK=1
25+
AFD_UID_MIN=""
26+
27+
# This function will be called if the script status is on enabled / audit mode
28+
audit() {
29+
30+
# Get UID_MIN
31+
AFD_UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)
32+
if [ -z "$AFD_UID_MIN" ]; then
33+
crit "Unable to determine UID_MIN from /etc/login.defs"
34+
return
35+
fi
36+
37+
# Check on disk configuration
38+
local l_ondisk_result
39+
l_ondisk_result=$(awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${AFD_UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" "$AUDIT_RULES_DIR"/*.rules 2>/dev/null || true)
40+
41+
# Check running configuration
42+
local l_running_result
43+
l_running_result=$($SUDO_CMD auditctl -l 2>/dev/null | awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${AFD_UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || true)
44+
45+
# We need both b64 and b32 rules in both configurations
46+
local l_ondisk_b64 l_ondisk_b32 l_running_b64 l_running_b32
47+
l_ondisk_b64=$(echo "$l_ondisk_result" | grep -c "b64" || true)
48+
l_ondisk_b32=$(echo "$l_ondisk_result" | grep -c "b32" || true)
49+
l_running_b64=$(echo "$l_running_result" | grep -c "b64" || true)
50+
l_running_b32=$(echo "$l_running_result" | grep -c "b32" || true)
51+
52+
if [ "$l_ondisk_b64" -ge 1 ] && [ "$l_ondisk_b32" -ge 1 ] && [ "$l_running_b64" -ge 1 ] && [ "$l_running_b32" -ge 1 ]; then
53+
ok "File deletion events are correctly configured on disk and running"
54+
AFD_RULES_OK=0
55+
else
56+
if [ "$l_ondisk_b64" -eq 0 ] || [ "$l_ondisk_b32" -eq 0 ]; then
57+
crit "File deletion audit rules not found or incomplete in on-disk configuration"
58+
fi
59+
if [ "$l_running_b64" -eq 0 ] || [ "$l_running_b32" -eq 0 ]; then
60+
crit "File deletion audit rules not found or incomplete in running configuration"
61+
fi
62+
AFD_RULES_OK=1
63+
fi
64+
}
65+
66+
# This function will be called if the script status is on enabled mode
67+
apply() {
68+
if [ "$(id -u)" -ne 0 ]; then
69+
crit "This function must be run as root (current user: $(whoami))"
70+
return 1
71+
fi
72+
73+
if [ "$AFD_RULES_OK" -eq 0 ]; then
74+
ok "File deletion audit rules already correctly configured"
75+
return
76+
fi
77+
78+
if [ -z "$AFD_UID_MIN" ]; then
79+
crit "Unable to determine UID_MIN, cannot apply"
80+
return
81+
fi
82+
83+
info "Configuring file deletion audit rules"
84+
mkdir -p "$AUDIT_RULES_DIR"
85+
86+
# Remove any existing delete rules to avoid duplicates
87+
if [ -f "$AUDIT_RULES_FILE" ]; then
88+
sed -i '/\-k delete/d' "$AUDIT_RULES_FILE"
89+
fi
90+
91+
# Create file with header if it doesn't exist
92+
if [ ! -f "$AUDIT_RULES_FILE" ]; then
93+
echo "## File deletion events" >"$AUDIT_RULES_FILE"
94+
fi
95+
96+
# Add the rules
97+
{
98+
echo "-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=${AFD_UID_MIN} -F auid!=unset -k delete"
99+
echo "-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=${AFD_UID_MIN} -F auid!=unset -k delete"
100+
} >>"$AUDIT_RULES_FILE"
101+
102+
# Load the rules
103+
info "Loading audit rules"
104+
augenrules --load
105+
ok "File deletion audit rules configured and loaded"
106+
}
107+
108+
# This function will check config parameters required
109+
check_config() {
110+
:
111+
}
112+
113+
# Source Root Dir Parameter
114+
if [ -r /etc/default/cis-hardening ]; then
115+
# shellcheck source=../../debian/default
116+
. /etc/default/cis-hardening
117+
fi
118+
if [ -z "$CIS_LIB_DIR" ]; then
119+
echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment."
120+
echo "Cannot source CIS_LIB_DIR variable, aborting."
121+
exit 128
122+
fi
123+
124+
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
125+
if [ -r "${CIS_LIB_DIR}"/main.sh ]; then
126+
# shellcheck source=../../lib/main.sh
127+
. "${CIS_LIB_DIR}"/main.sh
128+
else
129+
echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_LIB_DIR in /etc/default/cis-hardening"
130+
exit 128
131+
fi

0 commit comments

Comments
 (0)