File: template_BASH_audit_rules_unsuccessful_file_modification

package info (click to toggle)
scap-security-guide 0.1.39-2
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid
  • size: 31,836 kB
  • sloc: xml: 129,736; python: 7,462; sh: 3,796; makefile: 27
file content (28 lines) | stat: -rw-r--r-- 1,337 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# platform = Red Hat Enterprise Linux 7, multi_platform_fedora

# Include source function library.
. /usr/share/scap-security-guide/remediation_functions

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	PATTERN="-a always,exit -F arch=$ARCH -S %NAME% -F exit=-EACCES.*"
	GROUP="access"
	FULL_RULE="-a always,exit -F arch=$ARCH -S %NAME% -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access"
	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=$ARCH -S %NAME% -F exit=-EPERM.*" 
        GROUP="access"
        FULL_RULE="-a always,exit -F arch=$ARCH -S %NAME% -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done