#!/bin/bash # ============================================================================= # System auditing configuration module # ============================================================================= # Set script directory SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # Source common functions and variables source "./common.sh" # Function to install and configure auditd configure_auditd() { log_message "INFO" "Installing and configuring auditd" # Install auditd if not already installed if ! is_package_installed "auditd"; then apt-get install -y auditd audispd-plugins if [ $? -ne 0 ]; then log_message "ERROR" "Failed to install auditd" return 1 fi else log_message "INFO" "auditd is already installed" fi # Configure auditd local AUDIT_RULES="/etc/audit/rules.d/audit.rules" log_message "INFO" "Creating audit rules" backup_file "$AUDIT_RULES" cat > "$AUDIT_RULES" << 'EOF' # Audit configuration # Hardened audit rules # Delete all existing rules -D # Set buffer size -b 8192 # Failure mode: 1=silent, 2=printk -f 1 # Enable kernel auditing -e 1 # Authentication and authorization -w /etc/pam.d/ -p wa -k pam -w /etc/nsswitch.conf -p wa -k nsswitch -w /etc/shadow -p wa -k shadow -w /etc/passwd -p wa -k passwd -w /etc/group -p wa -k group -w /etc/sudoers -p wa -k sudoers -w /etc/sudoers.d/ -p wa -k sudoers # System startup and shutdown -w /sbin/shutdown -p x -k power -w /sbin/reboot -p x -k power -w /sbin/halt -p x -k power # Kernel modules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules # User, group, password modifications -w /usr/sbin/useradd -p x -k user_modification -w /usr/sbin/userdel -p x -k user_modification -w /usr/sbin/usermod -p x -k user_modification -w /usr/sbin/groupadd -p x -k group_modification -w /usr/sbin/groupdel -p x -k group_modification -w /usr/sbin/groupmod -p x -k group_modification -w /usr/bin/passwd -p x -k password_modification # Network configuration -w /etc/network/ -p wa -k network -w /etc/sysconfig/network -p wa -k network -w /etc/hosts -p wa -k hosts -w /etc/hostname -p wa -k hostname # System time changes -a always,exit -F arch=b64 -S settimeofday -S adjtimex -S clock_settime -k time-change -a always,exit -F arch=b32 -S settimeofday -S adjtimex -S clock_settime -k time-change # Suspicious activities -w /usr/bin/wget -p x -k suspicious_activity -w /usr/bin/curl -p x -k suspicious_activity -w /usr/bin/base64 -p x -k suspicious_activity -w /bin/nc -p x -k suspicious_activity -w /bin/netcat -p x -k suspicious_activity -w /usr/bin/ncat -p x -k suspicious_activity -w /usr/bin/ssh -p x -k suspicious_activity -w /usr/bin/socat -p x -k suspicious_activity -w /usr/bin/wireshark -p x -k suspicious_activity -w /usr/bin/tshark -p x -k suspicious_activity # Command execution -a always,exit -F arch=b64 -S execve -k exec -a always,exit -F arch=b32 -S execve -k exec # Privilege escalation -a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation -a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation EOF log_message "SUCCESS" "Audit rules created at $AUDIT_RULES" # Restart auditd service log_message "INFO" "Restarting auditd service" service restart auditd if [ $? -eq 0 ]; then log_message "SUCCESS" "auditd service restarted successfully" else log_message "ERROR" "Failed to restart auditd service" return 1 fi } # log_message "SCRIPT" "auditing.sh" # Main execution for auditing configure_auditd log_message "SUCCESS" "System auditing configuration completed"