diff --git a/common.sh b/common.sh index e27f7b3..7e26712 100644 --- a/common.sh +++ b/common.sh @@ -1,12 +1,13 @@ # prefix for testing DESTDIR="${DESTDIR:-}" -PWQUALITY_CONF_FILE="${DESTDIR}etc/security/pwquality.conf" -INTERNAL_DIR="${DESTDIR}var/lib/linux-infosec-setupper" +PWQUALITY_CONF_FILE="${DESTDIR}/etc/security/pwquality.conf" +INTERNAL_DIR="${DESTDIR}/var/lib/linux-infosec-setupper" # /etc/audit/audit.rules is generated automatically from /etc/audit/rules.d/*, # do not edit it; also do not edit any other files, work only with ours, # assume that there are no other configs or they have lower priority -AUDIT_RULES_FILE=${DESTDIR}etc/audit/rules.d/90-linux-infosec-setupper.rules -AUDIT_DAEMON_CONFIG=${DESTDIR}etc/audit/auditd.conf +AUDIT_RULES_FILE="${DESTDIR}/etc/audit/rules.d/90-linux-infosec-setupper.rules" +AUDIT_DAEMON_CONFIG="${DESTDIR}/etc/audit/auditd.conf" +AUDIT_DAEMON_SYSTEMD_OVERRIDE="${DESTDIR}/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf" # validate email, https://stackoverflow.com/a/2138832, https://stackoverflow.com/a/41192733 REGEX_EMAIL="^[a-z0-9!#\$%&'*+/=?^_\`{|}~-]+(\.[a-z0-9!#$%&'*+/=?^_\`{|}~-]+)*@([a-z0-9]([a-z0-9-]*[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]*[a-z0-9])?\$" diff --git a/mikhailnov.sh b/mikhailnov.sh index 3b30d55..5524379 100755 --- a/mikhailnov.sh +++ b/mikhailnov.sh @@ -42,6 +42,68 @@ _audit_action_config(){ return "$l_failed" } +_mk_systemd_auditd_override(){ + local do_verify=1 + if [ -z "$DESTDIR" ]; then do_verify=0; fi + # --IPAddressAllow=xxx --IPAddressDeny=xxx may be specified multiple times + local IPAddressAllow="" + local IPAddressDeny="" + while [ -n "$1" ] + do + case "$1" in + "--verify-disable" ) + do_verify=0 + ;; + "--IPAddressAllow" ) + shift + IPAddressAllow="${IPAddressAllow} $1" + ;; + "--IPAddressDeny" ) + shift + IPAddressDeny="${IPAddressDeny} $1" + ;; + esac + shift + done + local systemd_override_dir="$(dirname "$AUDIT_DAEMON_SYSTEMD_OVERRIDE")" + if ! mkdir -p "$systemd_override_dir" ; then + error $"Error creating directory %s" "$systemd_override_dir" + return 1 + fi + cat > "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" << EOF +[Service] +$(for i in $IPAddressAllow +do + echo "IPAddressAllow=$i" +done) +$(for i in $IPAddressDeny +do + echo "IPAddressDeny=$i" +done) +EOF + # Make it work inside e.g. Anaconda module where $DESTDIR is not empty + # probably by copying the file to the root of the LiveCD. + # Detection of being run from Anaconda here is a prototype. + if [ "${I_AM_ANACONDA:-0}" != 0 ]; then + local cp_dst="$(echo "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" | sed -e "s,^${DESTDIR},,")" + if cp "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" "$cp_dst" + then + do_verify=1 + else + error $"Error copying systemd override file %s to %s" "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" "$cp_dst" + return 1 + fi + fi + if [ "$do_verify" = 1 ]; then + local systemd_analyze_result="$(systemd-analyze verify "$AUDIT_DAEMON_SYSTEMD_OVERRIDE" 2>&1)" + if [ $? != 0 ]; then + error $"Systemd unit file auditd.service with setted up packet filtering has not passed verification!" + error $"The error was:" + error "$systemd_analyze_result" + fi + fi +} + # can be used to reset variables to default values after loading previously setted up ones _audit_variables(){ failed=0 @@ -341,7 +403,13 @@ _mk_auditd_config(){ # TODO: tcp_client_max_idle # TODO: kerberos authentication against a Kerberos/Samba/FreeIPA server # https://listman.redhat.com/archives/linux-audit/2019-April/msg00110.html + + "--systemd-firewalling-params" ) + shift + _mk_systemd_auditd_override "$1" + ;; esac + shift if [ "$failed" != 0 ]; then error $"Errors occured when trying to understand how to configure auditd" return 1 diff --git a/mikhailnov_test.sh b/mikhailnov_test.sh index e69de29..1fff67f 100755 --- a/mikhailnov_test.sh +++ b/mikhailnov_test.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +set -x +set -e + +failed=0 +tmpdir="$(mktemp -d)" +DESTDIR="$tmpdir" +echo "TMP DIR: $tmpdir" +. ./mikhailnov.sh + +_exit(){ + # Catch exit != 0 from functions (fatal errors) + if [ $? != 0 ]; then + failed=$((++failed)) + fi + if [ "$failed" -gt 0 ]; then + echo "FAILED TESTS: $failed" + exit 1 + fi +} +trap _exit EXIT ERR + +_main(){ + { _mk_systemd_auditd_override --verify-disable --IPAddressDeny "any" --IPAddressAllow "192.168.10.1/24" && \ + [ "$(md5sum "${DESTDIR}"/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf | awk '{print $1}')" = 4088ff9965f0a09f97656646e2f8487a ] ;} || \ + { echo failed test 1; failed="$((++failed))"; } + { _mk_systemd_auditd_override --verify-disable --IPAddressDeny "any" --IPAddressAllow "192.168.10.1/24" --IPAddressAllow "192.168.20.1" && \ + [ "$(md5sum "${DESTDIR}"/etc/systemd/system/auditd.service.d/90-linux-infosec-setupper-auditd-firewall.conf | awk '{print $1}')" = 328a21120354f2d2ab8888ebffb54fac ] ;} || \ + { echo failed test 1; failed="$((++failed))"; } +} + +_main