From ef01ac22a1f13d8ac0119cd8d2f78cd00c647d2f Mon Sep 17 00:00:00 2001
From: Yuqing Yang <yyq01323329@alibaba-inc.com>
Date: Mon, 4 Dec 2023 09:51:16 +0800
Subject: [PATCH] Some scripts execute error fixes,Updated some script regular
 expressions.

Signed-off-by: Yuqing Yang <yyq01323329@alibaba-inc.com>
---
 ...sh-maxauthtries-is-set-to-between-3-and-5.sh |  4 ++--
 ...to-collect-file-deletion-events-for-users.sh | 17 +++++++++++++----
 ...em-management-scope-sudoers-are-collected.sh |  2 +-
 ...dify-user-group-information-are-collected.sh |  6 +++++-
 ...ce-layout-randomization-(ASLR)-is-enabled.sh |  2 +-
 ...58-ensure-a-firewall-package-is-installed.sh |  2 +-
 ...-firewalld-service-is-enabled-and-running.sh |  2 +-
 7 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh
index 8ca715d..6209ca7 100644
--- a/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh
+++ b/scanners/access-and-control/1.47-ensure-ssh-maxauthtries-is-set-to-between-3-and-5.sh
@@ -1,9 +1,9 @@
 result=false
 
-sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^maxauthtries\\s+[3-5] && grep -Eiq '^\s*maxauthtries\s+[3-5]' /etc/ssh/sshd_config && result=true
+sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Eiq ^maxauthtries\\s+[3-5]$ && grep -Eiq '^\s*maxauthtries\s+[3-5]$' /etc/ssh/sshd_config && result=true
 
 if [ "$result" = true ]; then
     echo "pass"
 else
     echo "fail"
-fi
+fi
\ No newline at end of file
diff --git a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh
index 3289838..10d2ec2 100644
--- a/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh
+++ b/scanners/logging-and-auditing/2.21-make-sure-to-collect-file-deletion-events-for-users.sh
@@ -1,12 +1,21 @@
-result=false
+fileResult=false
+curResult=false
 
 if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then
-grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlinkat\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlinkat\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && result=true
+grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlinkat\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlinkat\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && fileResult=true
 else
-grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && result=true
+grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/rules.d/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b64\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && grep -Pq "\-a\salways\,exit\s\-F\sarch=b32\s\-S\sunlink\s\-S\sunlinkat\s\-S\srename\s\-S\srenameat\s\-F\sauid>=1000\s\-F\sauid!=4294967295\s-k\sdelete" /etc/audit/audit.rules && fileResult=true
 fi
 
-if [ "$result" = true ]; then
+
+
+if [[ `arch` == 'aarch64' ]] && [[ `uname -m` == 'aarch64' ]] ; then
+auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+unlinkat,renameat\s+-F\s+auid>=1000\s+-F\s+auid!=-1\s+-F\s+key=delete" && auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && curResult=true
+else
+auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+rename,unlink,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && auditctl -l | grep -Pq "^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+unlink,rename,unlinkat,renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=-1\s+\-F\s+key=delete" && curResult=true
+fi
+
+if [[ $fileResult = true && $curResult == true ]]; then
     echo "pass"
 else
     echo "fail"
diff --git a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
index 61a6f43..284821b 100644
--- a/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
+++ b/scanners/logging-and-auditing/2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.sh
@@ -2,7 +2,7 @@ result=false
 
 grep -q "\-w /etc/sudoers -p wa -k scope
 -w /etc/sudoers.d/ -p wa -k scope" /etc/audit/rules.d/audit.rules && grep -q "\-w /etc/sudoers -p wa -k scope
--w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules && result=true
+-w /etc/sudoers.d/ -p wa -k scope" /etc/audit/audit.rules && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers\s+\-p\s+wa\s+\-k\s+scope" && auditctl -l | grep -Pq "^\-w\s+\/etc\/sudoers.d\s+\-p\s+wa\s+\-k\s+scope" && result=true
 
 if [ "$result" = true ]; then
     echo "pass"
diff --git a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
index 9851c6a..ca019dd 100644
--- a/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
+++ b/scanners/logging-and-auditing/2.23-ensure-that-events-that-modify-user-group-information-are-collected.sh
@@ -8,7 +8,11 @@ grep -q "\-w /etc/group -p wa -k identity
 -w /etc/passwd -p wa -k identity
 -w /etc/gshadow -p wa -k identity
 -w /etc/shadow -p wa -k identity
--w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && result=true
+-w /etc/security/opasswd -p wa -k identity" /etc/audit/rules.d/*.rules && auditctl -l | grep -q "\-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity" && result=true
 
 if [ "$result" = true ]; then
     echo "pass"
diff --git a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh
index ce6ffb4..0863d34 100644
--- a/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh
+++ b/scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh
@@ -1,6 +1,6 @@
 result=false
 
-sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && grep -Psq "^kernel\.randomize_va_space\s+=\s+2" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf && result=true
+sysctl kernel.randomize_va_space|grep -Psq "^kernel\.randomize\_va\_space\s+=\s+2$" && grep -Psq "^kernel\.randomize_va_space\s*=\s*2" /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf && result=true
 
 if [ "$result" = true ] ; then
     echo "pass"
diff --git a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh
index a222e41..3754a3c 100644
--- a/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh
+++ b/scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh
@@ -1,6 +1,6 @@
 result=""
 
-rpm -qa | grep -Psq "^iptables\-.*" && result=true
+rpm -qa | grep -Psq "^iptables\-.*" && rpm -qa | grep -Psq "^iptables\-services.*" && result=true
 [ -z "$result" ] && rpm -q nftables | grep -Psq "^nftables\-.*" && result=true
 [ -z "$result" ] && rpm -q firewalld | grep -Psq "^firewalld\-.*" && result=true
 
diff --git a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh
index feb7d86..ba60bf3 100644
--- a/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh
+++ b/scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh
@@ -1,6 +1,6 @@
 result=false
 
-systemctl is-enabled firewalld | grep -Psq "^enabled$" && firewall-cmd --state -q && result=true
+[[ $(systemctl list-unit-files | grep firewalld) ]] && systemctl is-enabled firewalld | grep -Psq "^enabled$" && firewall-cmd --state -q && result=true
 
 if [ "$result" = true ]; then
     echo "pass"
-- 
Gitee