Good : full update

modules/auditing.sh

@@ -0,0 +1,126 @@
+#!/bin/bash
+# =============================================================================
+# System auditing configuration module
+# =============================================================================
+
+# Set script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Source common functions and variables
+source "./common.sh"
+
+# Function to install and configure auditd
+configure_auditd() {
+  log_message "INFO" "Installing and configuring auditd"
+  
+  # Install auditd if not already installed
+  if ! is_package_installed "auditd"; then
+    apt-get install -y auditd audispd-plugins
+    
+    if [ $? -ne 0 ]; then
+      log_message "ERROR" "Failed to install auditd"
+      return 1
+    fi
+  else
+    log_message "INFO" "auditd is already installed"
+  fi
+  
+  # Configure auditd
+  local AUDIT_RULES="/etc/audit/rules.d/audit.rules"
+  
+  log_message "INFO" "Creating audit rules"
+  backup_file "$AUDIT_RULES"
+  
+  cat > "$AUDIT_RULES" << 'EOF'
+# Audit configuration
+# Hardened audit rules
+
+# Delete all existing rules
+-D
+
+# Set buffer size
+-b 8192
+
+# Failure mode: 1=silent, 2=printk
+-f 1
+
+# Enable kernel auditing
+-e 1
+
+# Authentication and authorization
+-w /etc/pam.d/ -p wa -k pam
+-w /etc/nsswitch.conf -p wa -k nsswitch
+-w /etc/shadow -p wa -k shadow
+-w /etc/passwd -p wa -k passwd
+-w /etc/group -p wa -k group
+-w /etc/sudoers -p wa -k sudoers
+-w /etc/sudoers.d/ -p wa -k sudoers
+
+# System startup and shutdown
+-w /sbin/shutdown -p x -k power
+-w /sbin/reboot -p x -k power
+-w /sbin/halt -p x -k power
+
+# Kernel modules
+-w /sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules
+
+# User, group, password modifications
+-w /usr/sbin/useradd -p x -k user_modification
+-w /usr/sbin/userdel -p x -k user_modification
+-w /usr/sbin/usermod -p x -k user_modification
+-w /usr/sbin/groupadd -p x -k group_modification
+-w /usr/sbin/groupdel -p x -k group_modification
+-w /usr/sbin/groupmod -p x -k group_modification
+-w /usr/bin/passwd -p x -k password_modification
+
+# Network configuration
+-w /etc/network/ -p wa -k network
+-w /etc/sysconfig/network -p wa -k network
+-w /etc/hosts -p wa -k hosts
+-w /etc/hostname -p wa -k hostname
+
+# System time changes
+-a always,exit -F arch=b64 -S settimeofday -S adjtimex -S clock_settime -k time-change
+-a always,exit -F arch=b32 -S settimeofday -S adjtimex -S clock_settime -k time-change
+
+# Suspicious activities
+-w /usr/bin/wget -p x -k suspicious_activity
+-w /usr/bin/curl -p x -k suspicious_activity
+-w /usr/bin/base64 -p x -k suspicious_activity
+-w /bin/nc -p x -k suspicious_activity
+-w /bin/netcat -p x -k suspicious_activity
+-w /usr/bin/ncat -p x -k suspicious_activity
+-w /usr/bin/ssh -p x -k suspicious_activity
+-w /usr/bin/socat -p x -k suspicious_activity
+-w /usr/bin/wireshark -p x -k suspicious_activity
+-w /usr/bin/tshark -p x -k suspicious_activity
+
+# Command execution
+-a always,exit -F arch=b64 -S execve -k exec
+-a always,exit -F arch=b32 -S execve -k exec
+
+# Privilege escalation
+-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation
+-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation
+EOF
+
+  log_message "SUCCESS" "Audit rules created at $AUDIT_RULES"
+  
+  # Restart auditd service
+  log_message "INFO" "Restarting auditd service"
+  service restart auditd 
+  
+  if [ $? -eq 0 ]; then
+    log_message "SUCCESS" "auditd service restarted successfully"
+  else
+    log_message "ERROR" "Failed to restart auditd service"
+    return 1
+  fi
+}
+
+# Main execution for auditing
+configure_auditd
+
+log_message "SUCCESS" "System auditing configuration completed"