linux_audit_report

#!/bin/bash
##### UNCLASSIFIED ##########
## Written by Charlie Todd <zerolagtime@gmail.com>
## LICENSE: GPL 2.0
## Copyright 2019 by Charlie Todd

# Purpose: Satisfy auditing requirements on standalone Linux systems
#   Note that STIG-compliant auditing must be configured for these reports
#   to have meaningful data.
# Description:
#   If the user has sudo privilege on the system to execute the aureport command,
#   then "sudo aureport <options>" is run multiple times to produce a report
#   in the local folder.  If no reports exist, then an audit review is done
#   for the last $daysBack days.  If successful audit review reports are
#   in the same folder, then this audit review will be set to start from
#   the moment that last report was first started.  This should provide
#   continuous coverage in the event that an irregular schedule is followed.
LAR_VERSION="1.0.1"
reportFileOnly="$(date +%Y%m%d_%H%M%S)-${HOSTNAME/\.*/}-audit_report.txt"
reportLocation="$(dirname $0)/archive"
reportFile="$reportLocation/$reportFileOnly"
offlineArchiveFolder=""
daysBack=7
maxDaysBack=365
ME="${SUDO_USER:-$USER}"

MYTEMP=${TEMP:-/tmp/$ME}
if [ ! -d $MYTEMP ]; then
   mkdir $MYTEMP
   chown $USER $MYTEMP
   chmod 700 $MYTEMP
fi

function stderr { 
   echo "$*" 1>&2 
}

function usage {
   stderr "Usage: $(basename $0) [-y daysback] [-d archive_dir] [-f]"
   stderr "                      [-a offline_folder]"
   if [ "$1" == "long" ]; then
      stderr "Purpose: Generate a weekly report of all \"organization-defined\""
      stderr "         auditable events for CNSS 1253 and JSIG AU-2."
      stderr "         Also, it archives the supporting, raw audit events"
      stderr "         next to the report for easy archiving over NFS/SCP."
      stderr "Options:"
      stderr "  -y daysback            (default $daysBack)"
      stderr "     Start the review this many days back.  If left unset,"
      stderr "     the report starts $daysBack days ago, unless existing"
      stderr "     reports exist.  If existing reports exist, the most recent,"
      stderr "     and successful report will be used as the starting time"
      stderr "     so as to ensure continuous coverage back to the last report." 
      stderr "  -d archive_dir         (default $reportLocation)"
      stderr "     Directory to place reports and gzipped copies of audit"
      stderr "     records used to produce the report."
      stderr "  -a offline_folder      (default is no offline copies)"
      stderr "     A copy of the report and supporting logs will be copied here"
      stderr "     if the review is successful."
      stderr "  -f"
      stderr "     Force the script to keep exiting when checking on baseline"
      stderr "     configuration problems, which might normally cause the script"
      stderr "     to exit until the configuration is fixed.  Note that using"
      stderr "     force might compromise a future investigate when critical"
      stderr "     was not audited despite the requirement to do so."
   fi
   exit 1 
}

while getopts "hfy:d:a:" o; do
   case "${o}" in
      y) 
         daysBack=${OPTARG}
         [ -n "$daysBack" ] && [ "$daysBack" -ge 0 ] && \
         [ "$daysBack" -le $maxDaysBack ] || {
	    stderr "-y must be between 0 and $maxDaysBack";
	    usage
         }
	 ;;
      d)
         reportLocation=${OPTARG} 
         [ -n "$reportLocation" ] && [ -d "$reportLocation" ] && \
         [ -w "$reportLocation" ] || {
	    stderr "-d requires a writeable directory";
	    usage
         }
	 ;;
      f)
         force="yes"
         ;;
      a) 
         offlineArchiveFolder=${OPTARG}
         [ -n "$offlineArchiveFolder" ] && [ -d "$offlineArchiveFolder" ] && \
         [ -w "$offlineArchiveFolder" ] || {
            stderr "-a requires a writeable directory";
            usage
         }
         ;;
      h) usage long ;;
      *) usage long ;;
   esac
done
shift $((OPTIND-1))
# this really only applies to the default location as any
# user specified location must already exist
if [ ! -d "$reportLocation" ]; then
   mkdir "$reportLocation" || {
      stderr "Cannot create the directory $reportLocation.  Exiting"
      exit 1
   }
fi

CYAN=$(echo -e "\033[0;36m")
LCYAN=$(echo -e "\033[36m")
YELLOW=$(echo -e "\033[0;33m")
LYELLOW=$(echo -e "\033[33m")
LIGHT_CYAN=$(echo -e "\033[1;36m")
NO_COLOUR=$(echo -e "\033[0m")
RED=$(echo -e "\033[1;37m\033[40m")
BRED=$(echo -e "\033[1;37m\033[41m")
GREEN=$(echo -e "\033[1;37m\033[42m")

function checkLoggedInAsRoot {
   if [ "$USER" == "root" -a -z "$SUDO_USER" ]; then
       stderr "${RED}ALERT: This tools should be run as you.${NO_COLOUR}" 
       stderr "       Do not login in such a way that you use the root password." 
       stderr "       Exiting this script." 
       echo "ALERT: audit review aborted because the user did not log in as themselves" > $reportFile
       stderr "${YELLOW}Suggestion:${NO_COLOUR} If this report is part of an investigation,"
       stderr "       use the force option (-f) to run the report anyway."
       stderr "       Alternatively, just review the interpreted audit log with"
       stderr "          ausearch -ts 1/1/1970 --format text"
       stderr "       and draw your own conclusions."
       return 2
   fi
}


# if the user has sudo privileges, return 0.  Otherwise, return a non-zero value
# If they fail to authenticate, that also counts against them
function checkSudoPrivileges {
   allowed=$(/bin/sudo --prompt="Checking to see if you have sudo privileges.
[sudo] password for ${USER}: " --list )
   return $?
}

function AUREPORT {
   if [ $(whoami) != "root" ]; then
       /bin/sudo /usr/sbin/aureport $*
   else
       aureport $* 
   fi
   return $?
}

function AUSEARCH {
   if [ $(whoami) != "root" ]; then
       /bin/sudo /usr/sbin/ausearch $*
   else
       ausearch $* 
   fi
   return $?
}

function lpad {
   sed -e 's/^/    /g'
}

function colorizeAlerts {
set +x
   awk -v CYAN=${CYAN} -v RED=${RED} -v NC=${NO_COLOUR} \
         -v BRED=${BRED} '
       /^=======/ { print CYAN $0 NC; next }
       /WARNING/ { print RED $0 NC; next }
       /ERROR/   { print BRED $0 NC; next }
       { print $0 }
   '
}


function stripColors {
   sed -e 's/\x1b\[[^m]*m//g;' 
}

# log the message passed on the command line or piped in
# use -v to put a copy on the screen.  
# please use the wrapper logOnly or logBoth so that code blocks are clear
function colorizeLog {
   toScreen=0
   # who knew that overriding IFS on one line would persist across
   # the script and mess up parameter separation on $* arguments to functions
   oldIFS=${IFS}
   if [ "$1" == "-v" ]; then
      toScreen=1
      shift 1
   fi
   # two paths 
   if [ $# -gt 0 ]; then
      # first is if the message came in on the command line
      msg="$*"
      if [ $toScreen -eq 1 ] ; then
         echo "$msg" | colorizeAlerts
      else
         if [[ "$msg" == *"ERROR"* ]]; then
	    echo " ALERT!  An ERROR occurred.  Check the log for details." |\
	       colorizeAlerts
	 elif [[ "$msg" == *"WARNING"* ]]; then
	    echo " NOTICE!  A WARNING occurred.  Check the log for details." |\
	       colorizeAlerts
	 fi
      fi
      echo "$msg" | stripColors >> $reportFile 
   else 
      # second is the message is piped in
      # trick - without the 'IFS="";' bit, leading spaces are trimmed
      #         which zero's out the lpad function
      newline=$(echo)
      while IFS="";read -r line; do
         # but we need to trim the newline now...
         msg=${line/$newline/} 
         if [ $toScreen -eq 1 ] ; then
            echo "$msg" | colorizeAlerts
         else
            if [[ "$msg" == *"ERROR"* ]]; then
   	       echo " ALERT!  An ERROR occurred.  Check the log for details." |\
	          colorizeAlerts
   	    elif [[ "$msg" == *"WARNING"* ]]; then
   	       echo " NOTICE!  A WARNING occurred.  Check the log for details." |\
	          colorizeAlerts
   	    fi
         fi
         echo "$msg" | stripColors >> $reportFile 
      done
   fi
   return 0
}

# dump a message only to the log file
# you can pass a message on the command line or pipe in multiple lines of text
function logOnly {
   if [ $# -gt 0 ]; then
      colorizeLog "$*" 
   else
      colorizeLog 
   fi
}

# dump a message to the screen and log file
# you can pass a message on the command line or pipe in multiple lines of text
function logBoth {
   if [ $# -gt 0 ]; then
      colorizeLog -v "$*" 
   else
      colorizeLog -v
   fi
}
# use this function like this:
#    testImportantCondition || unlessForced || failAndExit
function unlessForced {
   if [ "$force" == "yes" ]; then
      logOnly "NOTICE: there were errors and the script was run with"
      logOnly "        the force (-f) option to continue anyway."
      logOnly "        Continued use of force may result in critical information"
      logOnly "        not being audited which may hinder a future investigation."
      return 0
   fi
   return 1
}

function getSudoOrExit {
   checkSudoPrivileges
   if [ $? -ne 0 ]; then
      logBoth "You have no sudo privileges, or don't know the password.  Exiting."
      exit 1
   fi
}

function getNewestReportDate {
   # returns a string in aureport friendly time format MM/DD/YYYY HH:MM:ss
   # unless --fileSafe is a parameter, in which case it is YYYYMMDD_hhmmss
   # note that newest file is this log file, so the second newest
   dateFormat="%m/%d/%Y %H:%M:%S"
   if [ "$1" == "--fileSafe" ]; then
       dateFormat="%Y%m%d_%H%M%S"
   fi
   files=$(cd "$reportLocation";
       /bin/ls -1t *-${HOSTNAME/\.*/}-audit_report.txt 2>/dev/null)
   for report in $files; do
       #logOnly "Evaluating $report for a potential starting time"
       tail -1 "$reportLocation/$report" 2>&1 | egrep --silent -e "Audit Review Complete"
       if [ $? -eq 0 ]; then
           #logOnly "Setting the audit start time from $report"
           # time since change in epoch seconds
           fileDate=$(stat -c %Z "$reportLocation/$report") ; 
           auditDate=$(date -d @$fileDate +"$dateFormat")
           echo "$auditDate"
	   return
       else
           :
           #logOnly "Ignoring this report which never completed: $report"
       fi
   done
   #output nothing if no reports exist
}

# getAuditStart provides an ausearch/aureport friendly date
# either starting at the last report or $daysBack days ago (default 7 days)
# Format looks like "mm/dd/yyyy hh:mm:ss"
function getAuditStart {
   startDate=$(getNewestReportDate) 
   if [ -z "$startDate" ]; then
       startDate=$(date -d "$daysBack days ago" +"%m/%d/%Y %H:%M:%S")
   fi
   echo "$startDate"
}

# getAuditStartFileSafe provides an ausearch/aureport friendly date
# either starting at the last report or $daysBack days ago (default 7 days)
# Format looks like "yyyymmdd_hhmmss"
function getAuditStartFileSafe {
   startDate=$(getNewestReportDate --fileSafe) 
   if [ -z "$startDate" ]; then
       startDate=$(date -d "$daysBack days ago" +"%Y%m%d_%H%M%S")
   fi
   echo "$startDate"
}
function getScriptChecksum {
   cksum=$(cat $0 | sha256sum )
   lastModified=$(stat -c%y $0)
   thisPath=$(dirname $0)
   if [ "$thisPath" == "." ]; then
      thisPath=$(pwd)
   fi
   echo "${LCYAN}This program:${NO_COLOUR}        ${thisPath}/$(basename $0) version $LAR_VERSION"
   echo "${LCYAN}This program checksum:${NO_COLOUR}     $cksum (SHA256)"
   echo "${LCYAN}This program lastmodified:${NO_COLOUR} $lastModified"
}

function failAndExit {
   logBoth "[ERROR]: There were problems with the last command.  Exit code $?"
   logBoth "         The audit review is **NOT COMPLETE**.  Exiting."
   exit 1
}


function quickAuditCheck {
   failures=0
   service auditd status 2>/dev/null >/dev/null
   if [ $? -ne 0 ]; then
      echo "ERROR: auditd is not running on this host"
      failures=$[ $failures + 1 ]
   fi
   numRecords=$(sudo egrep -e '^(-a|-w) ' /etc/audit/audit.rules | wc -l)
   numRules=$(sudo bash -c "egrep -e '^(-a|-w) ' /etc/audit/rules.d/*" | wc -l)
   if [ -z "$numRecords" -o -z "$numRules" -o "$numRecords" -ne "$numRules" ]; then
      numDiff=$[ $numRules - $numRecords ]
      echo "ERROR: There were $numDiff unparsed audit rules in /etc/audit/rules.d"
      echo "       so auditing may be incomplete."
      if [ $numDiff -lt 0 ]; then
         echo "NOTE: Since the number is negative, rules have been manually added"
         echo "      to /etc/audit/audit.rules which will not survive a reboot."
      fi
      failures=$[ $failures + 1 ]
   fi
   if [ -z "$numRecords" -o "$numRecords" -lt 100 ]; then
      echo "ERROR: auditd is not adequately configured on this host"
      echo "       please apply the stig-disa-7 profile with oscap"
      failures=$[ $failures + 1 ]
   fi
   echo "A quick check to see that all rules are being implemented found $failures problems."
   return $failures
}

# return 0 if the file watch is in place with the specified permissions
function auditRuleCheckWatch {
   auditctlOutput="$1"
   param2="$2"
   param3="$3"
   file="${param2:-/var/log/audit/audit.log}"
   perm="${param3:-ra}"
   echo "$actl" |egrep --silent -e "^-w \"?$file\"? -p $perm" 
   res=$?
   if [ $res -ne 0 ]; then
      echo "WARNING: $file is not being watched by the audit daemon"
   fi
   return $res
}
# return 0 if auditing is configured to watch 
# the audit log files
function checkAuditLogWatch {
   actl=$(sudo auditctl -l)
   if [ -n "${actl}" ]; then
      {
          auditRuleCheckWatch "${actl}" /var/log/audit/audit.log && \
          auditRuleCheckWatch "${actl}" /var/log/secure && \
          auditRuleCheckWatch "${actl}" /var/log/tallylog && \
          auditRuleCheckWatch "${actl}" /var/log/lastlog 
      } || {
          sampleFile="01-security_log.rules"
          cat > "$sampleFile" << EOF
# meet CNSS/JSIG AU-2.a.9 - Audit and security relevant log data accesses
-w /var/log/secure -p ra -k security_log
-w /var/log/lastlog -p ra -k security_log
-w /var/log/tallylog -p ra -k security_log
-w /var/log/wtmp -p ra -k security_log
-w /var/log/audit/audit.log -p ra  -k security_log
EOF
          echo "=== ERROR: audit is not configured to fully"
          echo "===        record AU-2, specifically AU-2.a.9"
          echo "===        Copy $sampleFile to /etc/audit/rules.d"
          echo "===        and restart the audit daemon with"
          echo "===          sudo mv $sampleFile /etc/audit/rules.d && sudo service auditd restart"
          echo "=== Quick audit configuration check complete "
          return 1
      }
   else
      echo "WARNING: Could not get a list of current audit rules"
      return 1
   fi
   echo "Audit rules exist to monitor access to security-relevant logs"
   return 0
}

# return 0 if the audit log produces enriched output, 1 if not.
# enriched output automatically translates system calls and usernames
# in the raw log format - this is ideal for post-incident, offline analysis 
function checkAuditLogEnriched {
   cFile="/etc/audit/auditd.conf"
   aconf=$(sudo cat $cFile)
   if [ -n "${aconf}" ]; then
      format=$(echo "$aconf" | egrep "^ *log_format" | sed -e 's/.*=[ ]*//')
      if [ "$format" == "ENRICHED" ]; then
         return 0
      fi
      echo "WARNING: Please change the audit log daemon to enrich its logs"
      echo "         as this radically simplifies forensic analysis."
      echo "         Type the following at a prompt (a backup is kept)"
      echo "            sudo sed --in-place=.bak \\"
      echo "               -e 's/log_format.*/log_format = ENRICHED/' \\"
      echo "               $cFile && \\"
      echo "               sudo restorecon $cFile && \\"
      echo "               sudo service auditd restart"
      sleep 15
      return 1
   else
      echo "ERROR: The audit daemon is missing its configuration file"
      return 1
   fi
}

function getUsersWithBurnPrivileges {
   opticalMedia=$(/bin/ls -1 /dev/sr[0-9]*)
   if [ -n "$opticalMedia" ]; then
      ( for device in $opticalMedia; do
         deviceGroup=$(stat --printf "%G" $device)
         usersInGroup=$(getent group $deviceGroup | cut -d: -f4)
         echo "$usersInGroup" | sed -e 's/,/\n/g'
      done ) | sort | uniq
   fi 
}

# if passed a list of files that need audit reports, then 
# produce raw audit records on stdout where those files
# are mentioned.  This is a workaround for the fact that
# ausearch doesn't honor the --file option multiple times
# for a logical "OR"
function ausearchFileList {
   tmpResults=$MYTEMP/ausearch.$$.txt
   for oneFile in $*; do
      AUSEARCH $auditDateOptions --file $oneFile --format raw >> $tmpResults 2>/dev/null
   done 
   sort -k 2 $tmpResults | uniq
   rm $tmpResults
}

# if the wodim or similar RPMs are installed, someone determined that optical 
# media reading and writing were permissible.  If they were installed recently,
# of if this is a new system, we may have not added the auditing of those 
# programs to this system and/or report, so we provide a sample file
# that can be added to /etc/audit.d/rules.d.  Subsequent runs will
# report on usage of those executables.  
# Assumption: rules to watch files files use the audit keyword "media"
#   and may need to be adjusted if another application adds these watches
#   to the audit rules
function reviewCdTools {
   mediaPackages=$(rpm -qa wodim genisoimage libisofs fuseiso)
   filesToWatch=$(rpm -ql $mediaPackages | egrep -e "(/bin/|lib.*\.so)")
   if [ -n "$filesToWatch" ]; then
      actl=$(sudo auditctl -l)
      echo "Note:             this system has tools to build ISOs, so"
      echo "                  files could be exfiltrated this way as a bundle."
      unauditedFiles=""
      for watch in $filesToWatch; do
         auditRuleCheckWatch "${actl}" $watch 
         if [ $? -ne 0 ]; then
            unauditedFiles="$unauditedFiles
-w \"$watch\" -p x -k media" 
         fi
      done
      if [ -z "$unauditedfiles" ]; then
         echo "WARNING: Optical media or image generation tools are not fully audited."
         sampleFile="02-media.rules"      
         if [ -f $sampleFile ]; then /bin/rm $sampleFile; fi
         # meet 800-53r4/JSIG AU-2.a.9 - Audit and security relevant log data accesses
         echo "# === improve CNSS/JSIG AU-2.a.3 Export/Write to digital media " >> $sampleFile
         echo "# === improve CNSS/JSIG AU-2.a.4 Import from digital media" >> $sampleFile
	 echo "$unauditedFiles">> $sampleFile
         echo "Suggestion:       create a watch on optical media tools "
         echo "                  by copying $sampleFile to /etc/audit.d/rules.d"
         echo "                     sudo mv $sampleFile /etc/audit/rules.d && \\"
         echo "                     sudo service auditd restart"
      fi
   fi
}

# for all of the vendor-provided packages that can read or write to
# media, report any time they were executed
function reviewCdActivity {
   mediaPackages=$(rpm -qa wodim genisoimage libisofs fuseiso)
   filesToWatch=$(rpm -ql $mediaPackages | egrep -e "(/bin/|lib.*\.so)")
   echo "=== ISO creation/burning tool usage"
   echo "Note that if there is a warning above, then the audit rules are"
   echo "not fully covered by audit rules. Reporting on the use of"
   echo "$(echo "$filesToWatch" | wc -l) files on the watch list."
   ausearchFileList $filesToWatch | AUSEARCH --format text
}

function daysBetween {
   sdateT="$1"
   edateT="$2"
   sdate=$(date --date="$sdateT" '+%s')
   edate=$(date --date="$edateT"   '+%s')
   days=$[ (edate - sdate) / 86400  ]
   echo "$days"
}

##############################################################################
##############################################################################
##############################################################################
##############################################################################
logBoth "=================================================" 
logBoth "${LCYAN}Audit review of:${NO_COLOUR}     ${HOSTNAME} on $(date)" 
logBoth "${LCYAN}Review conducted by:${NO_COLOUR} ${ME}"
logBoth "${LCYAN}This report:${NO_COLOUR}         $reportFileOnly" 
auditStart=$(getAuditStart)
auditEnd=$(date +"%m/%d/%Y %H:%M:%S")
archiveStart=$(getAuditStartFileSafe)
daysAgo=$(daysBetween "$auditStart" "$auditEnd" )
auditArchiveFile="$reportLocation/${HOSTNAME}-audit_archive-${archiveStart}_to_$(date +%Y%m%d_%H%M%S).log"
logBoth "${LCYAN}Earliest audit date:${NO_COLOUR} $auditStart ($daysAgo days ago)"
logBoth "${LCYAN}Latest audit date:${NO_COLOUR}   $auditEnd" 
logBoth "${LCYAN}Archive audit file:${NO_COLOUR}  $auditArchiveFile"
getScriptChecksum | logBoth
logBoth "=================================================" 
logBoth "" 
checkLoggedInAsRoot | logBoth || unlessForced || failAndExit
getSudoOrExit
auditDateOptions=" -ts $auditStart -te $auditEnd"
commonAuditOptions=" $auditDateOptions -i"

logBoth "================================================="
logBoth "=== Quick audit configuration check "
quickAuditCheck |lpad | logOnly|| unlessForced || failAndExit
checkAuditLogWatch | lpad | logOnly|| sleep 15
checkAuditLogEnriched | lpad | logOnly || unlessForced || failAndExit
logBoth "=== Quick audit configuration check complete "
logOnly "" 

logBoth "================================================="
logBoth "=== Archiving the audit records for integrity and to "
logBoth "===    only record one access while writing this report"
AUSEARCH $auditDateOptions --raw > $auditArchiveFile 
if [ $? -eq 0 ]; then
   logBoth "=== Archiving complete"
   auditDateOptions="$auditDateOptions -if $auditArchiveFile"
   commonAuditOptions=" $auditDateOptions -i"
   trap "echo \"Removing $auditArchiveFile on break\"; rm $auditArchiveFile; exit 2" 2 3 4 5 6 7 8 9 10 12 13 14
else 
   freeSpace=$(df -h --output=avail $(dirname $auditArchiveFile) | head -1 )
   logBoth "ERROR: Archiving FAILED.  Exiting. $freeSpace left in folder."
   failAndExit 
fi

logBoth "================================================="
logBoth "=== AUDIT REPORT: Summary "
logBoth "=== Description:  A brief overview of events "
AUREPORT $commonAuditOptions 2>&1 | lpad | logOnly || failAndExit
logOnly "=== AUDIT REPORT: Summary " 
logOnly "" 


logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Anomaly Events "
logBoth "=== Description:  Strange events that should rarely occur "
AUREPORT --anomaly $commonAuditOptions  2>&1 | lpad | logOnly || failAndExit
logOnly "=== AUDIT REPORT: Anomaly Events " 
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: User Authorizations (FAILED) "
logBoth "=== Description:  all events that show an account validation was"
logBoth "===               attempted, but failed"
logBoth "=== CNSS/JSIG:    AU-2.a.1.(1) Logons (Failure)"
AUREPORT --auth --failed $commonAuditOptions 2>&1  | lpad | logOnly || failAndExit
logOnly "=== AUDIT REPORT: User Authorizations (FAILED)" 
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Login/Logout (SUCCESS)"
logBoth "=== Description:  All events that show an account validation was"
logBoth "===               attempted, and succeeded"
logBoth "=== Note:         An unsuccessful logout is one that was"
logBoth "===               forced during a reboot"
logBoth "=== CNSS/JSIG:    AU-2.a.1.(1) Logons (Success)"
logBoth "=== CNSS/JSIG:    AU-2.a.1.(2) Logouts (Success/Failure)"
AUSEARCH $auditDateOptions --raw | aulast --stdin 2>&1 | lpad | \
      logOnly || failAndExit
logOnly "=== AUDIT REPORT: Login/Logout (SUCCESS)" 
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Digital Media (mount/unmount)"
logBoth "=== Description:  All events for portable media, be it"
logBoth "===               mount, unmount, read, or write"
logBoth "=== Note:         This audit requirement is difficult to"
logBoth "===               satisfy under Linux with the native audit"
logBoth "===               system.  If user-mountable drives are"
logBoth "===               configured, your administrator should have"
logBoth "===               auditd configured to watch those paths and"
logBoth "===               this script modified to support it."
logBoth "=== CNSS/JSIG:    AU-2.a.3 Export/Write to digital media [partial]" 
logBoth "=== CNSS/JSIG:    AU-2.a.4 Import from digital media [partial]" 
logOnly "Mounts of any filesystem"
logOnly "------------------------"
AUSEARCH $auditDateOptions --format text --syscall mount 2>&1 | lpad | logOnly
logOnly "Unmounts of any filesystem (compare to list above)"
logOnly "--------------------------------------------------"
AUSEARCH $auditDateOptions --format text --file /usr/bin/umount 2>&1 | \
      lpad | logOnly
logOnly ""
logOnly "    Note:         No file read or device writing was audited on"
logOnly "                  this system, beyond that normal failures recorded"
logOnly "                  everywhere else on the system."
### if these RPMs are installed, recommend that audit rules be put in place
### if they aren't
reviewCdTools | lpad | logBoth  || failAndExit
reviewCdActivity 2>&1 | lpad | logOnly  || failAndExit
logBoth "=== AUDIT REPORT: Digital Media (mount/unmount)"
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Local account management"
logBoth "=== Description:  Users and groups added, deleted, or"
logBoth "===               modified (Success/Failure)"
logBoth "=== CNSS/JSIG:    AU-2.a.5.(1) User add, delete, modify, disable (Success/Failure)" 
logBoth "=== CNSS/JSIG:    AU-2.a.5.(2) Group add, delete, modify, disable (Success/Failure)" 
AUREPORT --mods $commonAuditOptions | lpad | logOnly || failAndExit
logOnly "=== AUDIT REPORT: Local account management" 
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Configuration Changes (FAILED)"
logBoth "=== Description:  Failed attempts to change files called out"
logBoth "===               in the *audit* configuration"
logBoth "=== CNSS/JSIG:    AU-2.a.6.(1) Security or audit policy changes (Failure)" 
logBoth "=== CNSS/JSIG:    AU-2.a.6.(2) Configuration changes (Failure)" 
logOnly "=== Note:         The records below only documentat that a"
logOnly "===               change was attempted, not the nature of that change."
AUREPORT --config --failed $commonAuditOptions | lpad | logOnly || failAndExit
logOnly "=== AUDIT REPORT: Configuration Changes (FAILED)"
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Configuration Changes (SUCCESS)"
logBoth "=== Description:  Successful changes made to files called out"
logBoth "===               in the *audit* configuration"
logBoth "=== CNSS/JSIG:    AU-2.a.6.(1) Security or audit policy changes (Success)" 
logBoth "=== CNSS/JSIG:    AU-2.a.6.(2) Configuration changes (Success)" 
logOnly "=== Note:         The records below only documentat that a"
logOnly "===               change occured, not the nature of that change."
AUREPORT --config --success$commonAuditOptions | lpad | logOnly || failAndExit
logOnly "=== AUDIT REPORT: Configuration Changes (SUCCESS)"
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Login directly as root"
logBoth "=== Description:  Detect when someone logs into the "
logBoth "===               system as root (Success/Failure)"
logBoth "=== CNSS/JSIG:    AU-2.a.7 Admin or root-level access (Success/Failure)" 
uid0Users=$(awk 'BEGIN{FS=":"} $3 == "0" {print $1}' /etc/passwd)
if [ "$uid0Users" != "root" ]; then
   logBoth "=== WARNING: UID 0 resolves to users other than \"root\": $(echo $uid0Users) "
   logBoth "===          This script only checks for the \"root\" user."
fi
AUREPORT --login $commonAuditOptions | \
      awk 'NR<6 {print} NR>1 && / root .*tty/ { print }' \
		| lpad | logOnly || failAndExit
logOnly "=== AUDIT REPORT: Login directly as root" 
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Privilege/role escalation"
logBoth "=== Description:  Commands run by a user when they"
logBoth "===               have taken on privileges"
logBoth "=== Note:         Noisy commands issued during login are filtered out"
logBoth "=== CNSS/JSIG:    AU-2.a.8 Privilege/role escalation (Success/Failure)" 
AUSEARCH --key privileged $auditDateOptions --format text | \
		grep -v ' root, successfully executed /usr/sbin/unix_chkpwd'  \
		| logOnly || failAndExit
logOnly "=== AUDIT REPORT: Privilege/role escalation"
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Security relevant log data access (FAILURE)"
logBoth "=== Description:  Report failed attempts to read the"
logBoth "===               the audit log or the security log"
logBoth "=== CNSS/JSIG:    AU-2.a.9 Audit and security relevant log data access (Failure)" 
AUSEARCH  --success no $auditDateOptions --file /var/log/audit \
         --file /var/log |\
		logOnly || failAndExit
logOnly "=== AUDIT REPORT: Security log data access"
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Security relevant log data access (SUCCESS)"
logBoth "=== Description:  "
logBoth "=== CNSS/JSIG:    AU-2.a.9 Audit and security relevant log data access (Success/Failure)" 
AUSEARCH  --success yes $auditDateOptions --file /var/log/audit \
        --file /var/log | lpad | logOnly || failAndExit
logOnly "=== AUDIT REPORT: Security log data access"
logOnly "" 

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: System start/shutdown"
logBoth "=== Description:  Show the system booting, controlled shutdowns,"
logBoth "===               runlevel changes (anything other than runlevel-3"
logBoth "===               means that problems happened during boot),"
logBoth "===               and audit daemon start/stop/reconfigure"
logBoth "=== CNSS/JSIG:    AU-2.a.10 System reboot, restart and shutdown (Success/Failure)" 
AUSEARCH $auditDateOptions -m SYSTEM_BOOT -m SYSTEM_SHUTDOWN \
                -m SYSTEM_RUNLEVEL -m DAEMON_START -m DAEMON_END \
                -m DAEMON_CONFIG --format text | \
		logOnly || failAndExit
logOnly "=== AUDIT REPORT: System start/shutdown "
logOnly "" 

printSubsystemInstalled="no"
if [ -n "$(which lpq 2>/dev/null)" -o -n "$(which lpstat 2>/dev/null)" ]; then
   printSubsystemInstalled="yes"
fi
logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Print to a device or file:"
logBoth "=== Description:  If printing is installed on this system,"
logBoth "===               show something, but that code has not"
logBoth "===               been writte yet.  See this page for ideas:"
logBoth "===               https://www.cups.org/doc/accounting.html"
logBoth "=== CNSS/JSIG:    AU-2.a.11 Print to a device (Success/Failure)" 
logBoth "=== CNSS/JSIG:    AU-2.a.12 Print to a file (Success/Failure)" 
if [ "$printSubsystemInstalled" == "no" ]; then
   logBoth "=== Note:         You're in luck.  No printers are configured."
   logBoth "===               There is nothing to audit."
else
   logBoth "=== WARNING: Not implemented yet"
fi

logBoth "=================================================" 
logBoth "=== AUDIT REPORT: Commands Run"
logBoth "=== Description:  STIG-identified commands that should be reviewed"
logBoth "===               Filters are applied to remove systemd activity"
logBoth "=== CNSS/JSIG:    AU-2.a.13 Application Initialization (Success/Failure)"
AUREPORT --comm $commonAuditOptions |\
       egrep -v -e '(\(none\)|\? \?| abrt-cli | unix_chkpwd )'\
		| lpad | logOnly || failAndExit
logOnly "=== AUDIT REPORT: Commands Run" 
logBoth "=================================================" 
logOnly "" 

logBoth "=================================================" 
logBoth "=== CLEANING UP ==="
logBoth "=== Compressing the extracted audit records"
gzip $auditArchiveFile

finalColor=${GREEN}
logBoth "=== Counting up any errors or warnings"
GlobalErrors=$(grep "ERROR" $reportFile | wc -l)
GlobalWarnings=$(grep "WARNING" $reportFile | wc -l)
if [ $GlobalErrors -ne 0 ]; then
   logBoth "ALERT!  There were $GlobalErrors errors throughout this report."
   logBoth "        This audit report is likely incomplete."
   logBoth "        Failure to address these concerns will be noted"
   logBoth "        during any incident response reviews."
   finalColor=${RED}
fi
if [ $GlobalWarnings -ne 0 ]; then
   logBoth "NOTICE! Important warnings occurred while generating"
   logBoth "        This report.  Please investigate."
   finalColor=${YELLOW}
fi

logBoth "=== Next Steps"
logBoth "    Now that the audit review is complete, feel free to force "
logBoth "    a log rotation with"
logBoth "       sudo service auditd rotate"
logBoth "    Review this report with"      
logBoth "       more $reportFile" 
logBoth "    Archive the report and the original logs"
logBoth "       $reportFile"
logBoth "       $auditArchiveFile.gz"
if [ -n "$offlineArchiveFolder" -a -d "$offlineArchiveFolder" ] ; then
   logBoth ">>> Copying the report and archival copy of the supporting logs to"
   logBoth ">>> $offlineArchiveFolder"
   logOnly "${finalColor}=+=+=+=+=+=+=+=+ Audit Review Complete =+=+=+=+=+=+=+=+=+=${NO_COLOUR}"
   cp -v $reportFile $auditArchiveFile.gz $offlineArchiveFolder/. 2>&1 | \
         logOnly || failAndExit
   logBoth ">>> ${GREEN}Report archived${NO_COLOUR}"
fi
logBoth "=== CLEAN UP COMPLETE ==="
logBoth "${finalColor}=+=+=+=+=+=+=+=+ Audit Review Complete =+=+=+=+=+=+=+=+=+=${NO_COLOUR}"


##### UNCLASSIFIED ##########
#sudo aureport --key --interpret|egrep -v -e '(logins yes /usr/sbin/crond|modules yes /usr/bin/kmod|(access|delete|export|logins|modules|perm_mod|privileged) yes \? |logins yes /usr/bin/login -1)' 
#localUsers=$(echo $( getent passwd |grep -v nologin | cut -f1 -d:)  | sed -e 's/^/(/;s/$/)/;s/ /|/g;')
#auditusers=$(sudo ausearch --format csv |awk 'NR>2 {print}' | cut -d, -f9 |sort | uniq)