function eq_check_safetyAudit_func()
{
addbuf=$2
StartFind=0
bak=$IFS
IFS=$'\n'
for i in `cat "$1"`
do
#echo $i
if [ "$i" == "$addbuf" ];then
StartFind=1
fi
##查找转储周期及日期单位
if [ $StartFind -eq 1 ];then
#echo $i
###获取转储周期数值rotate
if [[ "$i" =~ "rotate" ]];then
num=`echo $i | awk -F ' ' '{print $2}'`
if [ "$num" -gt 0 ] 2>/dev/null ;then
echo $num" -"
fi
fi
###获取转储日期单位daily/weekly/monthly
if [[ "$i" =~ "daily" ]];then
echo $i | awk -F ' ' '{print $1}'
elif [[ "$i" =~ "weekly" ]];then
echo $i | awk -F ' ' '{print $1}'
elif [[ "$i" =~ "monthly" ]];then
echo $i | awk -F ' ' '{print $1}'
fi
###查找到模块的结尾,退出查询
if [[ "$i" =~ "}" ]];then
break
fi
fi
done
IFS=$bak
}
function eq_check_safetyAudit_file()
{
addbuf=$1
#addbuf="/var/log/audit/audit.log"
LogConf="/etc/logrotate.conf"
file="/etc/logrotate.d"
####检测/etc/logrotate.d/audit(名字不是固定的)
####检测/etc/logrotate.d/目录下所有的文件
if [ -d ${file} ];then
#auditD=`echo \`ls $file\``
for filename in $(ls $file)
do
#echo "-------$file/$filename"
##不检测文件夹下的备份文件
if [[ ! "$filename" == *_back ]];then
FileFunc="$file/$filename"
#eq_check_safetyAudit_func "$FileFunc" "$addbuf"
auditf=`echo \`eq_check_safetyAudit_func "$FileFunc" "$addbuf"\``
if [ -n "$auditf" ];then
auditD=$auditf"=="$FileFunc
echo "$auditD"" <>"
fi
fi
done
else
echo "<$file>inexistence"
fi
####检测/etc/logrotate.conf
if [ -e ${LogConf} ];then
logrotate=`echo \`eq_check_safetyAudit_func "$LogConf" "$addbuf"\``
if [ -n "$logrotate" ];then
logrotateConf=$logrotate"=="$LogConf
fi
else
logrotateConf="<$LogConf>inexistence"
fi
echo "$logrotateConf"
return 0
}
##检测
function eq_check_safetyAudit()
{
##检测日志审计路径及保存的日志文件
auditConf="/etc/audit/auditd.conf"
if [ -e "$auditConf" ];then
auditLog=`grep "^log_file" $auditConf | awk -F ' = ' '{print $2}'`
if [ -e "$auditLog" ];then
echo "$auditLog" ##输出即为文件存在
echo `eq_check_safetyAudit_file "$auditLog"`
else
echo "<$auditLog>inexistence"
fi
else
echo "<$auditConf>inexistence"
fi
###
}
##恢复
function eq_recover_safetyAudit()
{
##file="/etc/logrotate.d"
LogConf="/etc/logrotate.conf"
LogConfbak=$LogConf"_back"
if [ -e ${LogConfbak} ];then
mv ${LogConfbak} ${LogConf}
fi
##
file="/etc/logrotate.d"
if [ -d ${file} ];then
for filename in $(ls $file)
do
if [[ "$filename" =~ "_back" ]];then
FileFunc="$file/$filename"
mv ${FileFunc} ${FileFunc%_back*}
fi
done
fi
}
##修复
function eq_restore_safetyAudit_file()
{
addbuf=$1
file=$2
fun=$3
filebak=${file}"_back"
#file="/etc/logrotate.d/audit"
#fun=`eq_check_safetyAudit`
StartFind=0
if [ -e ${file} ];then
#echo file ${file} exist!
if [ ! -e ${filebak} ];then
cp ${file} ${filebak}
fi
###
bak=$IFS
IFS=$'\n'
for i in `cat ${file}`
do
#echo $i
if [ "$i" == "$addbuf" ];then
#echo $i
StartFind=1
auditNum=`cat $file | grep -n "$addbuf$" | awk -F ":" '{print $1}'`
fi
##查找转储周期及日期单位
if [ $StartFind -eq 1 ];then
#echo $i
###获取转储周期数值rotate
if [[ "$i" =~ "rotate" ]];then
num=`echo $i | awk -F ' ' '{print $2}'`
if [ "$num" -gt 0 ] 2>/dev/null ;then
#sed -n -e "$auditNum"p $file
if [[ "$fun" =~ "daily" ]];then
rotate="rotate 180"
NumLine="$auditNum"c
sed -i "$NumLine${rotate}" $file
elif [[ "$fun" =~ "weekly" ]];then
rotate="rotate 26"
NumLine="$auditNum"c
sed -i "$NumLine${rotate}" $file
elif [[ "$fun" =~ "monthly" ]];then
rotate="rotate 6"
NumLine="$auditNum"c
sed -i "$NumLine${rotate}" $file
fi
fi
fi
((auditNum++))
###查找到模块的结尾,退出查询
if [[ "$i" =~ "}" ]];then
break
fi
fi
done
IFS=$bak
fi
}
##修复
function eq_restore_safetyAudit()
{
auditConf="/etc/audit/auditd.conf"
auditLog=`grep "^log_file" $auditConf | awk -F ' = ' '{print $2}'`
if [ -e "$auditConf" ];then
if [ -e "$auditLog" ];then
fun=`eq_check_safetyAudit`
#echo $fun
#对IFS变量 进行替换处理
OLD_IFS="$IFS"
IFS="<>"
array=($fun)
IFS="$OLD_IFS"
for var in ${array[@]}
do
if [[ "$var" =~ "==" ]];then
dat=`echo ${var%==*}`
fileDate=`echo ${var#*==}`
#echo $fileDate"==="$dat
eq_restore_safetyAudit_file "$auditLog" "$fileDate" "$dat"
fi
done
#
else
echo "<$auditLog>inexistence"
fi
else
echo "<$auditConf>inexistence"
fi
}
######执行
if [ $1 -eq 1 ];then
eq_check_safetyAudit
fi
if [ $2 -eq 1 ];then
eq_recover_safetyAudit
fi
if [ $3 -eq 1 ];then
eq_restore_safetyAudit
fi
- 精确查找一个字符
addbuf=`grep -E "\<^SELINUX\>" /etc/selinux/config`
lsmod | awk '{print $1}' | grep -E '^hfs$'
- 屏蔽一行或者打开一行