####### START OF stig_audit_check.sh #######

#!/bin/ksh
#
# This scripta does the following checks/tasks:
#	1).	Check if audit is turned on;
#	2).	Check if the special audit event class, called stig_aud_class, is defined, 
#		and contains all the audit events that need to be auditted for STIG;
#	3).	Check if stig_aud_class is assigned to each/every users's auditclasses attribute
#
# 	If all the checks are passed, this script does not display any messages.
#
# 	If any of the checks is not passed, this script will display a message for each non-passed
# 	item, and display "This is a finding" before exiting.
#

RTN=0

audit query | grep "auditing on" > /dev/null

if [[ $? -ne 0 ]]; then
	echo "audit is off"
	RTN=1
fi

audit query | grep stig_aud_class > /dev/null

if [[ $? -ne 0 ]]; then
	echo "audit event class stig_aud_class is not defined"
	RTN=2
fi

for i in ACCT_Disable ACCT_Enable AT_JobAdd AT_JobRemov AUD_CONFIG_WR AUTH_Change BACKUP_Export CMD_Change CRON_Finish CRON_JobAdd CRON_JobRemove CRON_Start CRON_Stop DEV_Change DEV_Configure DEV_Create DEV_Remove DEV_Start DEV_Stop DEV_Unconfigure Domain_Change FILE_Acl FILE_Chpriv FILE_Fchpriv FILE_Fmode FILE_Fowner FILE_Link FILE_Mknod FILE_Mode FILE_Open FILE_Owner FILE_Pipe FILE_Privilege FILE_Rename FILE_Unlink FS_Chroot FS_Mkdir FS_Mount FS_Rmdir FS_Unmout GROUP_Adms GROUP_Change GROUP_User INIT_End INIT_Start KST_Change LPA_Change PASSWORD_Change PASSWORD_Check PASSWORD_Flags PFILE_Change PFILE_Remove PORT_Change PROC_Adjtime PROC_Execute PROC_Kill PROC_Privilege PROC_RealGID PROC_RealUID PROC_SetUserIDs PROC_Setpgid PROC_Settimer PROC_Sysconfig RESTORE_import ROLE_Change SEM_Create SEM_Delete SHM_Create SHM_Open TCB_Exec TCB_Leak TCB_Mod TCP_kaccept TCP_kbind TCP_kconnect TCP_ksocket USER_Change USER_Chpass USER_Create USER_Exit USER_Locked USER_Login USER_Logout USER_Reboot USER_Remove USER_SU USER_SetEnv USER_SetGroups USER_Unlocked
do
	audit query | grep stig_aud_class | grep $i > /dev/null
	if [[ $? -ne 0 ]]; then
		echo $i " not found in stig_aud_class audit class"
		RTN=3
	fi
done

lsuser -a auditclasses ALL | while read line 
do
	if [[ ! -z "$line" ]]; then

		echo $line | grep stig_aud_class > /dev/null
		if [[ $? -ne 0 ]]; then
			USER=`echo $line | cut -d " " -f 1`
			echo $USER "- auditclasses does not include the stig_aud_class audit class"
			RTN=4
 		fi
	else
		echo "Found an empty line"

	fi
done

if [[ $RTN -ne 0 ]]; then
	echo
	echo "This is a finding."
	echo
fi

####### END OF stig_audit_check.sh #######
