# platform = Red Hat Virtualization 4,multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux # Remediation is applicable only in certain platforms if dpkg-query --show --showformat='${db:Status-Status}' 'auditd' 2>/dev/null | grep -q '^installed$' && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" OTHER_FILTERS="" AUID_FILTERS="" SYSCALL="sethostname setdomainname" KEY="audit_rules_networkconfig_modification" SYSCALL_GROUPING="sethostname setdomainname" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' unset syscall_a unset syscall_grouping unset syscall_string unset syscall unset file_to_edit unset rule_to_edit unset rule_syscalls_to_edit unset other_string unset auid_string unset full_rule # Load macro arguments into arrays read -a syscall_a <<< $SYSCALL read -a syscall_grouping <<< $SYSCALL_GROUPING # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- # files_to_inspect=() # If audit tool is 'augenrules', then check if the audit rule is defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection default_file="/etc/audit/rules.d/$KEY.rules" # As other_filters may include paths, lets use a different delimiter for it # The "F" script expression tells sed to print the filenames where the expressions matched readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules) # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet if [ ${#files_to_inspect[@]} -eq "0" ] then file_to_inspect="/etc/audit/rules.d/$KEY.rules" files_to_inspect=("$file_to_inspect") if [ ! -e "$file_to_inspect" ] then touch "$file_to_inspect" chmod 0600 "$file_to_inspect" fi fi # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead skip=1 for audit_file in "${files_to_inspect[@]}" do # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, # i.e, collect rules that match: # * the action, list and arch, (2-nd argument) # * the other filters, (3-rd argument) # * the auid filters, (4-rd argument) readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") candidate_rules=() # Filter out rules that have more fields then required. This will remove rules more specific than the required scope for s_rule in "${similar_rules[@]}" do # Strip all the options and fields we know of, # than check if there was any field left over extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") done if [[ ${#syscall_a[@]} -ge 1 ]] then # Check if the syscall we want is present in any of the similar existing rules for rule in "${candidate_rules[@]}" do rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) all_syscalls_found=0 for syscall in "${syscall_a[@]}" do grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { # A syscall was not found in the candidate rule all_syscalls_found=1 } done if [[ $all_syscalls_found -eq 0 ]] then # We found a rule with all the syscall(s) we want; skip rest of macro skip=0 break fi # Check if this rule can be grouped with our target syscall and keep track of it for syscall_g in "${syscall_grouping[@]}" do if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" then file_to_edit=${audit_file} rule_to_edit=${rule} rule_syscalls_to_edit=${rule_syscalls} fi done done else # If there is any candidate rule, it is compliant; skip rest of macro if [ "${#candidate_rules[@]}" -gt 0 ] then skip=0 fi fi if [ "$skip" -eq 0 ]; then break fi done if [ "$skip" -ne 0 ]; then # We checked all rules that matched the expected resemblance pattern (action, arch & auid) # At this point we know if we need to either append the $full_rule or group # the syscall together with an exsiting rule # Append the full_rule if it cannot be grouped to any other rule if [ -z ${rule_to_edit+x} ] then # Build full_rule while avoid adding double spaces when other_filters is empty if [ "${#syscall_a[@]}" -gt 0 ] then syscall_string="" for syscall in "${syscall_a[@]}" do syscall_string+=" -S $syscall" done fi other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true echo "$full_rule" >> "$default_file" chmod 0600 ${default_file} else # Check if the syscalls are declared as a comma separated list or # as multiple -S parameters if grep -q -- "," <<< "${rule_syscalls_to_edit}" then delimiter="," else delimiter=" -S " fi new_grouped_syscalls="${rule_syscalls_to_edit}" for syscall in "${syscall_a[@]}" do grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { # A syscall was not found in the candidate rule new_grouped_syscalls+="${delimiter}${syscall}" } done # Group the syscall in the rule sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi unset syscall_a unset syscall_grouping unset syscall_string unset syscall unset file_to_edit unset rule_to_edit unset rule_syscalls_to_edit unset other_string unset auid_string unset full_rule # Load macro arguments into arrays read -a syscall_a <<< $SYSCALL read -a syscall_grouping <<< $SYSCALL_GROUPING # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- # files_to_inspect=() # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' # file to the list of files to be inspected default_file="/etc/audit/audit.rules" files_to_inspect+=('/etc/audit/audit.rules' ) # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead skip=1 for audit_file in "${files_to_inspect[@]}" do # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern, # i.e, collect rules that match: # * the action, list and arch, (2-nd argument) # * the other filters, (3-rd argument) # * the auid filters, (4-rd argument) readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file") candidate_rules=() # Filter out rules that have more fields then required. This will remove rules more specific than the required scope for s_rule in "${similar_rules[@]}" do # Strip all the options and fields we know of, # than check if there was any field left over extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule") grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule") done if [[ ${#syscall_a[@]} -ge 1 ]] then # Check if the syscall we want is present in any of the similar existing rules for rule in "${candidate_rules[@]}" do rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs) all_syscalls_found=0 for syscall in "${syscall_a[@]}" do grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || { # A syscall was not found in the candidate rule all_syscalls_found=1 } done if [[ $all_syscalls_found -eq 0 ]] then # We found a rule with all the syscall(s) we want; skip rest of macro skip=0 break fi # Check if this rule can be grouped with our target syscall and keep track of it for syscall_g in "${syscall_grouping[@]}" do if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls" then file_to_edit=${audit_file} rule_to_edit=${rule} rule_syscalls_to_edit=${rule_syscalls} fi done done else # If there is any candidate rule, it is compliant; skip rest of macro if [ "${#candidate_rules[@]}" -gt 0 ] then skip=0 fi fi if [ "$skip" -eq 0 ]; then break fi done if [ "$skip" -ne 0 ]; then # We checked all rules that matched the expected resemblance pattern (action, arch & auid) # At this point we know if we need to either append the $full_rule or group # the syscall together with an exsiting rule # Append the full_rule if it cannot be grouped to any other rule if [ -z ${rule_to_edit+x} ] then # Build full_rule while avoid adding double spaces when other_filters is empty if [ "${#syscall_a[@]}" -gt 0 ] then syscall_string="" for syscall in "${syscall_a[@]}" do syscall_string+=" -S $syscall" done fi other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true echo "$full_rule" >> "$default_file" chmod 0600 ${default_file} else # Check if the syscalls are declared as a comma separated list or # as multiple -S parameters if grep -q -- "," <<< "${rule_syscalls_to_edit}" then delimiter="," else delimiter=" -S " fi new_grouped_syscalls="${rule_syscalls_to_edit}" for syscall in "${syscall_a[@]}" do grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || { # A syscall was not found in the candidate rule new_grouped_syscalls+="${delimiter}${syscall}" } done # Group the syscall in the rule sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit" fi fi done # Then perform the remediations for the watch rules # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected files_to_inspect+=('/etc/audit/audit.rules') # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match | cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect+=("$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" chmod 0600 "$key_rule_file" fi files_to_inspect+=("$key_rule_file") fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected files_to_inspect+=('/etc/audit/audit.rules') # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match | cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect+=("$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" chmod 0600 "$key_rule_file" fi files_to_inspect+=("$key_rule_file") fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected files_to_inspect+=('/etc/audit/audit.rules') # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match | cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect+=("$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" chmod 0600 "$key_rule_file" fi files_to_inspect+=("$key_rule_file") fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected files_to_inspect+=('/etc/audit/audit.rules') # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/networks" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/networks $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/networks$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/networks -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/networks" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match | cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect+=("$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" chmod 0600 "$key_rule_file" fi files_to_inspect+=("$key_rule_file") fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/networks" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/networks $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/networks$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/networks -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected files_to_inspect+=('/etc/audit/audit.rules') # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/network/" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/network/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/network/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/network/ -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/network/" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match | cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect+=("$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" chmod 0600 "$key_rule_file" fi files_to_inspect+=("$key_rule_file") fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/network/" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/network/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/network/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/network/ -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected files_to_inspect+=('/etc/audit/audit.rules') # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/netplan/" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/netplan/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/netplan/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/netplan/ -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- files_to_inspect=() # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection. readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/netplan/" /etc/audit/rules.d/*.rules) # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match | cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect+=("$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ "${#files_to_inspect[@]}" -eq "0" ] then # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules" # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$key_rule_file" ] then touch "$key_rule_file" chmod 0600 "$key_rule_file" fi files_to_inspect+=("$key_rule_file") fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "^[\s]*-w[\s]+/etc/netplan/" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Define BRE whitespace class shortcut sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/netplan/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "wa" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s#\($sp*-w$sp\+/etc/netplan/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w /etc/netplan/ -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file" fi done else >&2 echo 'Remediation is not applicable, nothing was done' fi