####### START OF stig_audit_check.sh ####### #!/bin/ksh # # This scripta does the following checks/tasks: # 1). Check if audit is turned on; # 2). Check if the special audit event class, called stig_aud_class, is defined, # and contains all the audit events that need to be auditted for STIG; # 3). Check if stig_aud_class is assigned to each/every users's auditclasses attribute # # If all the checks are passed, this script does not display any messages. # # If any of the checks is not passed, this script will display a message for each non-passed # item, and display "This is a finding" before exiting. # RTN=0 audit query | grep "auditing on" > /dev/null if [[ $? -ne 0 ]]; then echo "audit is off" RTN=1 fi audit query | grep stig_aud_class > /dev/null if [[ $? -ne 0 ]]; then echo "audit event class stig_aud_class is not defined" RTN=2 fi for i in ACCT_Disable ACCT_Enable AT_JobAdd AT_JobRemov AUD_CONFIG_WR AUTH_Change BACKUP_Export CMD_Change CRON_Finish CRON_JobAdd CRON_JobRemove CRON_Start CRON_Stop DEV_Change DEV_Configure DEV_Create DEV_Remove DEV_Start DEV_Stop DEV_Unconfigure Domain_Change FILE_Acl FILE_Chpriv FILE_Fchpriv FILE_Fmode FILE_Fowner FILE_Link FILE_Mknod FILE_Mode FILE_Open FILE_Owner FILE_Pipe FILE_Privilege FILE_Rename FILE_Unlink FS_Chroot FS_Mkdir FS_Mount FS_Rmdir FS_Unmout GROUP_Adms GROUP_Change GROUP_User INIT_End INIT_Start KST_Change LPA_Change PASSWORD_Change PASSWORD_Check PASSWORD_Flags PFILE_Change PFILE_Remove PORT_Change PROC_Adjtime PROC_Execute PROC_Kill PROC_Privilege PROC_RealGID PROC_RealUID PROC_SetUserIDs PROC_Setpgid PROC_Settimer PROC_Sysconfig RESTORE_import ROLE_Change SEM_Create SEM_Delete SHM_Create SHM_Open TCB_Exec TCB_Leak TCB_Mod TCP_kaccept TCP_kbind TCP_kconnect TCP_ksocket USER_Change USER_Chpass USER_Create USER_Exit USER_Locked USER_Login USER_Logout USER_Reboot USER_Remove USER_SU USER_SetEnv USER_SetGroups USER_Unlocked do audit query | grep stig_aud_class | grep $i > /dev/null if [[ $? -ne 0 ]]; then echo $i " not found in stig_aud_class audit class" RTN=3 fi done lsuser -a auditclasses ALL | while read line do if [[ ! -z "$line" ]]; then echo $line | grep stig_aud_class > /dev/null if [[ $? -ne 0 ]]; then USER=`echo $line | cut -d " " -f 1` echo $USER "- auditclasses does not include the stig_aud_class audit class" RTN=4 fi else echo "Found an empty line" fi done if [[ $RTN -ne 0 ]]; then echo echo "This is a finding." echo fi ####### END OF stig_audit_check.sh #######