Linux ns8.secondary29.go.th 2.6.32-754.28.1.el6.x86_64 #1 SMP Wed Mar 11 18:38:45 UTC 2020 x86_64
Apache/2.2.15 (CentOS)
: 122.154.134.11 | : 122.154.134.9
Cant Read [ /etc/named.conf ]
5.6.40
apache
www.github.com/MadExploits
Terminal
AUTO ROOT
Adminer
Backdoor Destroyer
Linux Exploit
Lock Shell
Lock File
Create User
CREATE RDP
PHP Mailer
BACKCONNECT
UNLOCK SHELL
HASH IDENTIFIER
CPANEL RESET
CREATE WP USER
README
+ Create Folder
+ Create File
/
usr /
share /
scap-security-guide /
[ HOME SHELL ]
Name
Size
Permission
Action
kickstart
[ DIR ]
drwxr-xr-x
remediation_functions
29.54
KB
-rw-r--r--
Delete
Unzip
Zip
${this.title}
Close
Code Editor : remediation_functions
# -*-Shell-script-*- # # functions This file contains functions to be used by most or all # audit remediation shell scripts in the scap-security-guide's # RHEL/6/input/remediations/bash/ directory. # ######################################################################################## ##### Section #1 List universal (not product-specific) remediation functions below ##### ######################################################################################## # # Universal remediation functions (not tied with concrete product) # will be listed first. To add product-specific remediation function # see second section of this file below # # Function to fix syscall audit rule for given system call. It is # based on example audit syscall rule definitions as outlined in # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit # package. It will combine multiple system calls belonging to the same # syscall group into one audit rule (rather than to create audit rule per # different system call) to avoid audit infrastructure performance penalty # in the case of 'one-audit-rule-definition-per-one-system-call'. See: # # https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html # # for further details. # # Expects five arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either 'auditctl', or 'augenrules # * audit rules' pattern audit rule skeleton for same syscall # * syscall group greatest common string this rule shares # with other rules from the same group # * architecture architecture this rule is intended for # * full form of new rule to add expected full form of audit rule as to be # added into audit.rules file # # Note: The 2-th up to 4-th arguments are used to determine how many existing # audit rules will be inspected for resemblance with the new audit rule # (5-th argument) the function is going to add. The rule's similarity check # is performed to optimize audit.rules definition (merge syscalls of the same # group into one rule) to avoid the "single-syscall-per-audit-rule" performance # penalty. # # Example call: # # See e.g. 'audit_rules_file_deletion_events.sh' remediation script # function fix_audit_syscall_rule { # Load function arguments into local variables local tool="$1" local pattern="$2" local group="$3" local arch="$4" local full_rule="$5" # Check sanity of the input if [ $# -ne "5" ] then echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" echo "Aborting." exit 1 fi # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- # declare -a files_to_inspect # First check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" exit 1 # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' # file to the list of files to be inspected elif [ "$tool" == 'auditctl' ] then files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' ) # If audit tool is 'augenrules', then check if the audit rule is defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection elif [ "$tool" == 'augenrules' ] then # Extract audit $key from audit rule so we can use it later key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)') # Check if particular audit rule is already defined IFS=$'\n' matches=($(sed -s -n -e "/${pattern}/!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)) # Reset IFS back to default unset $IFS for match in "${matches[@]}" do files_to_inspect=("${files_to_inspect[@]}" "${match}") done # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet if [ ${#files_to_inspect[@]} -eq "0" ] then files_to_inspect="/etc/audit/rules.d/$key.rules" if [ ! -e "$files_to_inspect" ] then touch "$files_to_inspect" chmod 0640 "$files_to_inspect" fi fi fi # # Indicator that we want to append $full_rule into $audit_file by default local append_expected_rule=0 for audit_file in "${files_to_inspect[@]}" do # Filter existing $audit_file rules' definitions to select those that: # * follow the rule pattern, and # * meet the hardware architecture requirement, and # * are current syscall group specific IFS=$'\n' existing_rules=($(sed -e "/${pattern}/!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")) # Reset IFS back to default unset $IFS # Process rules found case-by-case for rule in "${existing_rules[@]}" do # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) if [ "${rule}" != "${full_rule}" ] then # If so, isolate just '(-S \w)+' substring of that rule rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+') # Check if list of '-S syscall' arguments of that rule is subset # of '-S syscall' list of expected $full_rule if grep -q -- "$rule_syscalls" <<< "$full_rule" then # Rule is covered (i.e. the list of -S syscalls for this rule is # subset of -S syscalls of $full_rule => existing rule can be deleted # Thus delete the rule from audit.rules & our array sed -i -e "/$rule/d" "$audit_file" existing_rules=("${existing_rules[@]//$rule/}") else # Rule isn't covered by $full_rule - it besides -S syscall arguments # for this group contains also -S syscall arguments for other syscall # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' # since 'lchown' & 'fchownat' share 'chown' substring # Therefore: # * 1) delete the original rule from audit.rules # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) # * 2) delete the -S syscall arguments for this syscall group, but # keep those not belonging to this syscall group # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' # * 3) append the modified (filtered) rule again into audit.rules # if the same rule not already present # # 1) Delete the original rule sed -i -e "/$rule/d" "$audit_file" # 2) Delete syscalls for this group, but keep those from other groups # Convert current rule syscall's string into array splitting by '-S' delimiter IFS=$'-S' read -a rule_syscalls_as_array <<< "$rule_syscalls" # Reset IFS back to default unset $IFS # Declare new empty string to hold '-S syscall' arguments from other groups new_syscalls_for_rule='' # Walk through existing '-S syscall' arguments for syscall_arg in "${rule_syscalls_as_array[@]}" do # Skip empty $syscall_arg values if [ "$syscall_arg" == '' ] then continue fi # If the '-S syscall' doesn't belong to current group add it to the new list # (together with adding '-S' delimiter back for each of such item found) if grep -q -v -- "$group" <<< "$syscall_arg" then new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" fi done # Replace original '-S syscall' list with the new one for this rule updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} # Squeeze repeated whitespace characters in rule definition (if any) into one updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') # 3) Append the modified / filtered rule again into audit.rules # (but only in case it's not present yet to prevent duplicate definitions) if ! grep -q -- "$updated_rule" "$audit_file" then echo "$updated_rule" >> "$audit_file" fi fi else # $audit_file already contains the expected rule form for this # architecture & key => don't insert it second time append_expected_rule=1 fi done # We deleted all rules that were subset of the expected one for this arch & key. # Also isolated rules containing system calls not from this system calls group. # Now append the expected rule if it's not present in $audit_file yet if [[ ${append_expected_rule} -eq "0" ]] then echo "$full_rule" >> "$audit_file" fi done } # Function to fix audit file system object watch rule for given path: # * if rule exists, also verifies the -w bits match the requirements # * if rule doesn't exist yet, appends expected rule form to $files_to_inspect # audit rules file, depending on the tool which was used to load audit rules # # Expects four arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either 'auditctl', or 'augenrules' # * path value of -w audit rule's argument # * required access bits value of -p audit rule's argument # * key value of -k audit rule's argument # # Example call: # # fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" # function fix_audit_watch_rule { # Load function arguments into local variables local tool="$1" local path="$2" local required_access_bits="$3" local key="$4" # Check sanity of the input if [ $# -ne "4" ] then echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'" echo "Aborting." exit 1 fi # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- declare -a files_to_inspect # Check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" exit 1 # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected elif [ "$tool" == 'auditctl' ] then files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules') # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection. elif [ "$tool" == 'augenrules' ] then # Case when particular audit rule is already defined in some of /etc/audit/rules.d/*.rules file # Get pair -- filepath : matching_row into @matches array IFS=$'\n' matches=($(grep -P "[\s]*-w[\s]+$path" /etc/audit/rules.d/*.rules)) # Reset IFS back to default unset $IFS # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match | cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect=("${files_to_inspect[@]}" "$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ ${#files_to_inspect[@]} -eq "0" ] then # Append '/etc/audit/rules.d/$key.rules' into list of files for inspection files_to_inspect="/etc/audit/rules.d/$key.rules" # If the $key.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$files_to_inspect" ] then touch "$files_to_inspect" chmod 0640 "$files_to_inspect" fi fi fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "[\s]*-w[\s]+$path" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Escape slashes in path for use in sed pattern below local esc_path=${path//$'/'/$'\/'} # Define BRE whitespace class shortcut local sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "$required_access_bits" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s/\($sp*-w$sp\+$esc_path$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)/\1$current_access_bits\3/" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file" fi done } # Function to install or uninstall packages on RHEL and Fedora systems. # # Example Call(s): # # package_command install aide # package_command remove telnet-server # function package_command { # Load function arguments into local variables local package_operation=$1 local package=$2 # Check sanity of the input if [ $# -ne "2" ] then echo "Usage: package_command 'install/uninstall' 'rpm_package_name" echo "Aborting." exit 1 fi # If dnf is installed, use dnf; otherwise, use yum if [ -f "/usr/bin/dnf" ] ; then install_util="/usr/bin/dnf" else install_util="/usr/bin/yum" fi if [ "$package_operation" != 'remove' ] ; then # If the rpm is not installed, install the rpm if ! /usr/bin/rpm -q --quiet $package; then $install_util -y $package_operation $package fi else # If the rpm is installed, uninstall the rpm if /usr/bin/rpm -q --quiet $package; then $install_util -y $package_operation $package fi fi } # Function to enable/disable and start/stop services on RHEL and Fedora systems. # # Example Call(s): # # service_command enable bluetooth # service_command disable bluetooth.service # # Using xinetd: # service_command disable rsh.socket xinetd=rsh # function service_command { # Load function arguments into local variables local service_state=$1 local service=$2 local xinetd=$(echo $3 | cut -d'=' -f2) # Check sanity of the input if [ $# -lt "2" ] then echo "Usage: service_command 'enable/disable' 'service_name.service'" echo echo "To enable or disable xinetd services add \'xinetd=service_name\'" echo "as the last argument" echo "Aborting." exit 1 fi # If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands if [ -f "/usr/bin/systemctl" ] ; then service_util="/usr/bin/systemctl" else service_util="/sbin/service" chkconfig_util="/sbin/chkconfig" fi # If disable is not specified in arg1, set variables to enable services. # Otherwise, variables are to be set to disable services. if [ "$service_state" != 'disable' ] ; then service_state="enable" service_operation="start" chkconfig_state="on" else service_state="disable" service_operation="stop" chkconfig_state="off" fi # If chkconfig_util is not empty, use chkconfig/service commands. if ! [ "x$chkconfig_util" = x ] ; then $service_util $service $service_operation $chkconfig_util --level 0123456 $service $chkconfig_state else $service_util $service_operation $service $service_util $service_state $service fi # Test if local variable xinetd is empty using non-bashism. # If empty, then xinetd is not being used. if ! [ "x$xinetd" = x ] ; then grep -qi disable /etc/xinetd.d/$xinetd && \ if ! [ "$service_operation" != 'disable' ] ; then sed -i "s/disable.*/disable = no/gI" /etc/xinetd.d/$xinetd else sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/$xinetd fi fi } # Function to perform remediation for 'audit_rules_privileged_commands' rule # # Expects two arguments: # # audit_tool tool used to load audit rules # One of 'auditctl' or 'augenrules' # # min_auid Minimum original ID the user logged in with # '500' for RHEL-6 and before, '1000' for RHEL-7 and after. # # Example Call(s): # # perform_audit_rules_privileged_commands_remediation "auditctl" "500" # perform_audit_rules_privileged_commands_remediation "augenrules" "1000" # function perform_audit_rules_privileged_commands_remediation { # # Load function arguments into local variables local tool="$1" local min_auid="$2" # Check sanity of the input if [ $# -ne "2" ] then echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'" echo "Aborting." exit 1 fi declare -a files_to_inspect=() # Check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" exit 1 # If the audit tool is 'auditctl', then: # * add '/etc/audit/audit.rules'to the list of files to be inspected, # * specify '/etc/audit/audit.rules' as the output audit file, where # missing rules should be inserted elif [ "$tool" == 'auditctl' ] then files_to_inspect=("/etc/audit/audit.rules") output_audit_file="/etc/audit/audit.rules" # # If the audit tool is 'augenrules', then: # * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected # (split by newline), # * specify /etc/audit/rules.d/privileged.rules' as the output file, where # missing rules should be inserted elif [ "$tool" == 'augenrules' ] then IFS=$'\n' files_to_inspect=($(find /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -print)) output_audit_file="/etc/audit/rules.d/privileged.rules" fi # Obtain the list of SUID/SGID binaries on the particular system (split by newline) # into privileged_binaries array IFS=$'\n' privileged_binaries=($(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)) # Keep list of SUID/SGID binaries that have been already handled within some previous iteration declare -a sbinaries_to_skip=() # For each found sbinary in privileged_binaries list for sbinary in "${privileged_binaries[@]}" do # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below sbinary_esc=${sbinary//$'/'/$'\/'} # Check if this sbinary wasn't already handled in some of the previous iterations # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) if [[ $(sed -ne "/${sbinary_esc}$/p" <<< ${sbinaries_to_skip[@]}) ]] then # If so, don't process it second time & go to process next sbinary continue fi # Reset the counter of inspected files when starting to check # presence of existing audit rule for new sbinary local count_of_inspected_files=0 # For each audit rules file from the list of files to be inspected for afile in "${files_to_inspect[@]}" do # Search current audit rules file's content for match. Match criteria: # * existing rule is for the same SUID/SGID binary we are currently processing (but # can contain multiple -F path= elements covering multiple SUID/SGID binaries) # * existing rule contains all arguments from expected rule form (though can contain # them in arbitrary order) base_search=$(sed -e "/-a always,exit/!d" -e "/-F path=${sbinary_esc}$/!d" \ -e "/-F path=[^[:space:]]\+/!d" -e "/-F perm=.*/!d" \ -e "/-F auid>=${min_auid}/!d" -e "/-F auid!=4294967295/!d" \ -e "/-k privileged/!d" $afile) # Increase the count of inspected files for this sbinary count_of_inspected_files=$((count_of_inspected_files + 1)) # Define expected rule form for this binary expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" # Require execute access type to be set for existing audit rule exec_access='x' # Search current audit rules file's content for presence of rule pattern for this sbinary if [[ $base_search ]] then # Current audit rules file already contains rule for this binary => # Store the exact form of found rule for this binary for further processing concrete_rule=$base_search # Select all other SUID/SGID binaries possibly also present in the found rule IFS=$'\n' handled_sbinaries=($(grep -o -e "-F path=[^[:space:]]\+" <<< $concrete_rule)) IFS=$' ' handled_sbinaries=(${handled_sbinaries[@]//-F path=/}) # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates sbinaries_to_skip=($(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo $i; done | sort -du)) # Separate concrete_rule into three sections using hash '#' # sign as a delimiter around rule's permission section borders concrete_rule=$(echo $concrete_rule | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p") # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter IFS=$'#' read rule_head rule_perm rule_tail <<< "$concrete_rule" # Extract already present exact access type [r|w|x|a] from rule's permission section access_type=${rule_perm//-F perm=/} # Verify current permission access type(s) for rule contain 'x' (execute) permission if ! grep -q "$exec_access" <<< "$access_type" then # If not, append the 'x' (execute) permission to the existing access type bits access_type="$access_type$exec_access" # Reconstruct the permissions section for the rule new_rule_perm="-F perm=$access_type" # Update existing rule in current audit rules file with the new permission section sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" $afile fi # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions: # # * in the "auditctl" mode of operation insert particular rule each time # (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule), # # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already # searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined # in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file) # elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] then # Current audit rules file's content doesn't contain expected rule for this # SUID/SGID binary yet => append it echo $expected_rule >> $output_audit_file fi done done } # The populate function isn't directly used by SSG at the moment but it can be # used for testing purposes and will be used in SSG Testsuite in the future. function populate { # code to populate environment variables needed (for unit testing) if [ -z "${!1}" ]; then echo "$1 is not defined. Exiting." exit fi } ######################################################################### ##### Section #2: List product-specific remediation functions below ##### ######################################################################### # # Remediation functions specific to concrete product (e.g. RHEL-7, Fedora etc.) # are listed below # function rhel6_perform_audit_adjtimex_settimeofday_stime_remediation { # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit # system calls on Red Hat Enterprise Linux 6 OS # # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" # Create expected audit group and audit rule form for particular system call & architecture if [ ${ARCH} = "b32" ] then # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) # so append it to the list of time group system calls to be audited GROUP="\(adjtimex\|settimeofday\|stime\)" FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" elif [ ${ARCH} = "b64" ] then # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) # therefore don't add it to the list of time group system calls to be audited GROUP="\(adjtimex\|settimeofday\)" FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" fi # Perform the remediation itself fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done } function rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation { # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit # system calls on Red Hat Enterprise Linux 7 or Fedora OSes # # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" # Create expected audit group and audit rule form for particular system call & architecture if [ ${ARCH} = "b32" ] then # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) # so append it to the list of time group system calls to be audited GROUP="\(adjtimex\|settimeofday\|stime\)" FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" elif [ ${ARCH} = "b64" ] then # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) # therefore don't add it to the list of time group system calls to be audited GROUP="\(adjtimex\|settimeofday\)" FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" fi # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done } # Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects four arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or 'CCENUM' if no CCE identifier exists # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' 'CCENUM' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' 'CCENUM' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state 'CCENUM' '%s=%s' # function replace_or_append { local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 # Check sanity of the input if [ $# -lt "3" ] then echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'" echo echo "If symlinks need to be taken into account, add yes/no to the last argument" echo "to allow to 'follow_symlinks'." echo "Aborting." exit 1 fi # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. if test -L $config_file; then sed_command="sed -i --follow-symlinks" else sed_command="sed -i" fi # Test that the cce arg is not empty or does not equal CCENUM. # If CCENUM exists, it means that there is no CCE assigned. if ! [ "x$cce" = x ] && [ "$cce" != 'CCENUM' ]; then cce="CCE-${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=${key//[!a-zA-Z]/} # If there is no print format specified in the last arg, use the default format. if ! [ "x$format" = x ] ; then printf -v formatted_output $format $stripped_key $value else formatted_output="$stripped_key = $value" fi # If the key exists, change it. Otherwise, add it to the config_file. if `grep -qi $key $config_file` ; then $sed_command "s/$key.*/$formatted_output/g" $config_file else echo -ne "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file echo -ne "\n$formatted_output" >> $config_file fi }
Close
