126 lines
3.5 KiB
Bash
126 lines
3.5 KiB
Bash
#!/bin/bash
|
|
# =============================================================================
|
|
# System auditing configuration module
|
|
# =============================================================================
|
|
|
|
# Set script directory
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# Source common functions and variables
|
|
source "./common.sh"
|
|
|
|
# Function to install and configure auditd
|
|
configure_auditd() {
|
|
log_message "INFO" "Installing and configuring auditd"
|
|
|
|
# Install auditd if not already installed
|
|
if ! is_package_installed "auditd"; then
|
|
apt-get install -y auditd audispd-plugins
|
|
|
|
if [ $? -ne 0 ]; then
|
|
log_message "ERROR" "Failed to install auditd"
|
|
return 1
|
|
fi
|
|
else
|
|
log_message "INFO" "auditd is already installed"
|
|
fi
|
|
|
|
# Configure auditd
|
|
local AUDIT_RULES="/etc/audit/rules.d/audit.rules"
|
|
|
|
log_message "INFO" "Creating audit rules"
|
|
backup_file "$AUDIT_RULES"
|
|
|
|
cat > "$AUDIT_RULES" << 'EOF'
|
|
# Audit configuration
|
|
# Hardened audit rules
|
|
|
|
# Delete all existing rules
|
|
-D
|
|
|
|
# Set buffer size
|
|
-b 8192
|
|
|
|
# Failure mode: 1=silent, 2=printk
|
|
-f 1
|
|
|
|
# Enable kernel auditing
|
|
-e 1
|
|
|
|
# Authentication and authorization
|
|
-w /etc/pam.d/ -p wa -k pam
|
|
-w /etc/nsswitch.conf -p wa -k nsswitch
|
|
-w /etc/shadow -p wa -k shadow
|
|
-w /etc/passwd -p wa -k passwd
|
|
-w /etc/group -p wa -k group
|
|
-w /etc/sudoers -p wa -k sudoers
|
|
-w /etc/sudoers.d/ -p wa -k sudoers
|
|
|
|
# System startup and shutdown
|
|
-w /sbin/shutdown -p x -k power
|
|
-w /sbin/reboot -p x -k power
|
|
-w /sbin/halt -p x -k power
|
|
|
|
# Kernel modules
|
|
-w /sbin/insmod -p x -k modules
|
|
-w /sbin/rmmod -p x -k modules
|
|
-w /sbin/modprobe -p x -k modules
|
|
|
|
# User, group, password modifications
|
|
-w /usr/sbin/useradd -p x -k user_modification
|
|
-w /usr/sbin/userdel -p x -k user_modification
|
|
-w /usr/sbin/usermod -p x -k user_modification
|
|
-w /usr/sbin/groupadd -p x -k group_modification
|
|
-w /usr/sbin/groupdel -p x -k group_modification
|
|
-w /usr/sbin/groupmod -p x -k group_modification
|
|
-w /usr/bin/passwd -p x -k password_modification
|
|
|
|
# Network configuration
|
|
-w /etc/network/ -p wa -k network
|
|
-w /etc/sysconfig/network -p wa -k network
|
|
-w /etc/hosts -p wa -k hosts
|
|
-w /etc/hostname -p wa -k hostname
|
|
|
|
# System time changes
|
|
-a always,exit -F arch=b64 -S settimeofday -S adjtimex -S clock_settime -k time-change
|
|
-a always,exit -F arch=b32 -S settimeofday -S adjtimex -S clock_settime -k time-change
|
|
|
|
# Suspicious activities
|
|
-w /usr/bin/wget -p x -k suspicious_activity
|
|
-w /usr/bin/curl -p x -k suspicious_activity
|
|
-w /usr/bin/base64 -p x -k suspicious_activity
|
|
-w /bin/nc -p x -k suspicious_activity
|
|
-w /bin/netcat -p x -k suspicious_activity
|
|
-w /usr/bin/ncat -p x -k suspicious_activity
|
|
-w /usr/bin/ssh -p x -k suspicious_activity
|
|
-w /usr/bin/socat -p x -k suspicious_activity
|
|
-w /usr/bin/wireshark -p x -k suspicious_activity
|
|
-w /usr/bin/tshark -p x -k suspicious_activity
|
|
|
|
# Command execution
|
|
-a always,exit -F arch=b64 -S execve -k exec
|
|
-a always,exit -F arch=b32 -S execve -k exec
|
|
|
|
# Privilege escalation
|
|
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation
|
|
-a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation
|
|
EOF
|
|
|
|
log_message "SUCCESS" "Audit rules created at $AUDIT_RULES"
|
|
|
|
# Restart auditd service
|
|
log_message "INFO" "Restarting auditd service"
|
|
service restart auditd
|
|
|
|
if [ $? -eq 0 ]; then
|
|
log_message "SUCCESS" "auditd service restarted successfully"
|
|
else
|
|
log_message "ERROR" "Failed to restart auditd service"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# Main execution for auditing
|
|
configure_auditd
|
|
|
|
log_message "SUCCESS" "System auditing configuration completed" |