timb-machine · February 28, 2021 08:33
diff --git a/auditd-generate-rule.sh b/auditd-generate-rule.sh
 #!/bin/sh

 generate_file_rule () {
        filepermissions="${1}"
        rulename="${2}"
        while read filename
        do
                printf -- "-w %s -p %s -k %s\n" "${filename}" "${filepermissions}" "${rulename}"
        done
 }

 ( flag1="/tmp/password.$$" && touch "${flag1}" && chmod a+r "${flag1}" && echo "${flag1}" ) | generate_file_rule r ts_flag1_read
 ( flag2="/usr/local/bin/sudo.$$" && touch "${flag2}" && chown root:root "${flag2}" && chmod a+rx,u+s "${flag2}" ) | generate_file_rule x ts_flag2_execute
 find / -type f -perm -u+s 2>/dev/null | generate_file_rule x ts_setuid_execute
 find / -type f -perm -g+s 2>/dev/null | generate_file_rule x ts_setgid_execute
 find / \( -type f -o -type d \) -perm -o+w 2>/dev/null | egrep -v "/proc/|/sys/" | generate_file_rule w ts_writable_write
 ( find / -type f -iname "*.log" 2>/dev/null && find /var/log -type f 2>/dev/null ) | generate_file_rule r ts_logs_read
 ( ps -aef | grep root | awk '{print $2}' | sort | uniq | while read processid; do ls -l "/proc/${processid}/exe" 2>/dev/null | egrep " -> " | sed "s/.* -> //g" | cut -f 1 -d " "; done | sort | uniq ) | generate_file_rule w ts_root_process_exe_write
 ( ps -aef | grep root | awk '{print $2}' | sort | uniq | while read processid; do ls -l "/proc/${processid}/cwd" 2>/dev/null | egrep " -> " | sed "s/.* -> //g" | cut -f 1 -d " "; done | sort | uniq ) | generate_file_rule w ts_root_process_cwd_write
 ( netstat -anp | grep LISTEN | grep tcp | awk '{print $7}' | cut -f 1 -d / | sort | uniq | while read processid; do ls -l "/proc/${processid}/exe" 2>/dev/null | egrep " -> " | sed "s/.* -> //g" | cut -f 1 -d " "; done | sort | uniq ) | generate_file_rule w ts_listen_process_exe_write
 ( netstat -anp | grep LISTEN | grep tcp | awk '{print $7}' | cut -f 1 -d / | sort | uniq | while read processid; do ls -l "/proc/${processid}/cwd" 2>/dev/null | egrep " -> " | sed "s/.* -> //g" | cut -f 1 -d " "; done | sort | uniq ) | generate_file_rule w ts_listen_process_cwd_write
 cat /etc/passwd | cut -f 6 -d : | sort | uniq | generate_file_rule w ts_home_write
 cat /etc/passwd | cut -f 6 -d : | sort | uniq | generate_file_rule r ts_home_read
 ( cat /etc/passwd | cut -f 6 -d : | sort | uniq | while read filename; do ls -d "${filename}/.ssh" 2>/dev/null; done ) | generate_file_rule w ts_ssh_write
	#!/bin/sh

	generate_file_rule () {
	filepermissions="${1}"
	rulename="${2}"
	while read filename
	do
	printf -- "-w %s -p %s -k %s\n" "${filename}" "${filepermissions}" "${rulename}"
	done
	}

	( flag1="/tmp/password.$$" && touch "${flag1}" && chmod a+r "${flag1}" && echo "${flag1}" ) \| generate_file_rule r ts_flag1_read
	( flag2="/usr/local/bin/sudo.$$" && touch "${flag2}" && chown root:root "${flag2}" && chmod a+rx,u+s "${flag2}" ) \| generate_file_rule x ts_flag2_execute
	find / -type f -perm -u+s 2>/dev/null \| generate_file_rule x ts_setuid_execute
	find / -type f -perm -g+s 2>/dev/null \| generate_file_rule x ts_setgid_execute
	find / \( -type f -o -type d \) -perm -o+w 2>/dev/null \| egrep -v "/proc/\|/sys/" \| generate_file_rule w ts_writable_write
	( find / -type f -iname "*.log" 2>/dev/null && find /var/log -type f 2>/dev/null ) \| generate_file_rule r ts_logs_read
	( ps -aef \| grep root \| awk '{print $2}' \| sort \| uniq \| while read processid; do ls -l "/proc/${processid}/exe" 2>/dev/null \| egrep " -> " \| sed "s/.* -> //g" \| cut -f 1 -d " "; done \| sort \| uniq ) \| generate_file_rule w ts_root_process_exe_write
	( ps -aef \| grep root \| awk '{print $2}' \| sort \| uniq \| while read processid; do ls -l "/proc/${processid}/cwd" 2>/dev/null \| egrep " -> " \| sed "s/.* -> //g" \| cut -f 1 -d " "; done \| sort \| uniq ) \| generate_file_rule w ts_root_process_cwd_write
	( netstat -anp \| grep LISTEN \| grep tcp \| awk '{print $7}' \| cut -f 1 -d / \| sort \| uniq \| while read processid; do ls -l "/proc/${processid}/exe" 2>/dev/null \| egrep " -> " \| sed "s/.* -> //g" \| cut -f 1 -d " "; done \| sort \| uniq ) \| generate_file_rule w ts_listen_process_exe_write
	( netstat -anp \| grep LISTEN \| grep tcp \| awk '{print $7}' \| cut -f 1 -d / \| sort \| uniq \| while read processid; do ls -l "/proc/${processid}/cwd" 2>/dev/null \| egrep " -> " \| sed "s/.* -> //g" \| cut -f 1 -d " "; done \| sort \| uniq ) \| generate_file_rule w ts_listen_process_cwd_write
	cat /etc/passwd \| cut -f 6 -d : \| sort \| uniq \| generate_file_rule w ts_home_write
	cat /etc/passwd \| cut -f 6 -d : \| sort \| uniq \| generate_file_rule r ts_home_read
	( cat /etc/passwd \| cut -f 6 -d : \| sort \| uniq \| while read filename; do ls -d "${filename}/.ssh" 2>/dev/null; done ) \| generate_file_rule w ts_ssh_write