forked from konstruktoid/hardening
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauditd
36 lines (27 loc) · 1.04 KB
/
auditd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
function f_auditd {
if [[ $LXC == "1" ]]; then
return
fi
echo "[$SCRIPT_COUNT] Auditd"
sed -i 's/^action_mail_acct =.*/action_mail_acct = root/' "$AUDITDCONF"
sed -i 's/^admin_space_left_action = .*/admin_space_left_action = halt/' "$AUDITDCONF"
sed -i 's/^max_log_file_action =.*/max_log_file_action = keep_logs/' "$AUDITDCONF"
sed -i 's/^space_left_action =.*/space_left_action = email/' "$AUDITDCONF"
if ! grep -q 'audit=1' /proc/cmdline; then
echo "GRUB_CMDLINE_LINUX=\"\$GRUB_CMDLINE_LINUX audit=1 audit_backlog_limit=8192\"" > "$DEFAULTGRUB/99-hardening-audit.cfg"
fi
cp "./misc/audit.header" /etc/audit/audit.rules
for l in $AUDITD_RULES; do
cat "$l" >> /etc/audit/audit.rules
done
cat "./misc/audit.footer" >> /etc/audit/audit.rules
sed -i "s/-f.*/-f $AUDITD_MODE/g" /etc/audit/audit.rules
cp /etc/audit/audit.rules "$AUDITRULES"
systemctl enable auditd
systemctl restart auditd.service
if [[ $VERBOSE == "Y" ]]; then
systemctl status auditd.service --no-pager
echo
fi
((SCRIPT_COUNT++))
}