From bed2459a2ec138743e0445354950953fc5eab094 Mon Sep 17 00:00:00 2001
From: delerrr <deler@hust.edu.cn>
Date: Sun, 23 Apr 2023 15:34:23 +0800
Subject: [PATCH 1/9] Added benchmark,remediation-kits,scanners for rule
 2.25-ensure-audit-logs-are-not-automatically-deleted

---
 ...udit-logs-are-not-automatically-deleted.md | 30 +++++++++++++++++++
 docs/summary-of-rules.md                      |  1 +
 ...udit-logs-are-not-automatically-deleted.sh |  3 ++
 ...udit-logs-are-not-automatically-deleted.sh | 15 ++++++++++
 4 files changed, 49 insertions(+)
 create mode 100644 benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
 create mode 100644 remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
 create mode 100644 scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh

diff --git a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
new file mode 100644
index 0000000..c2f491a
--- /dev/null
+++ b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
@@ -0,0 +1,30 @@
+# 2.25 确保审计日志不会自动删除
+
+## 安全等级
+
+- Level 1
+
+## 描述：
+
+出于安全考虑，维护长时间的审计历史记录利大于弊。在`/etc/audit/auditd.conf`中，`max_log_file_action`选项告诉系统当检测到已达到最大文件大小限制时采取什么行动。当该选项设置为`keep_logs`时，系统将永远不会删除旧日志而是将日志进行旋转（更改日志文件名称以确保越新的日志编号越小）。
+
+## 修复建议
+
+在`/etc/audit/auditd.conf`中将`max_log_file_action`选项设置为`keep_logs`：
+
+```
+max_log_file_action = keep_logs
+```
+
+## 扫描检测
+
+运行以下命令，并验证是否有如下输出：
+
+```bash
+# grep max_log_file_action /etc/audit/auditd.conf
+max_log_file_action = keep_logs
+```
+
+## 参考：
+
+- cis: <https://www.cisecurity.org/benchmark/aliyun_linux>
\ No newline at end of file
diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md
index 75c8001..0e4e181 100644
--- a/docs/summary-of-rules.md
+++ b/docs/summary-of-rules.md
@@ -75,6 +75,7 @@
 | 2.22     | 2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md | 2.22 确保收集对系统管理范围（sudoers）的更改         | benchmarks/logging-and-auditing     | 3     |
 | 2.23     | 2.23-ensure-that-events-that-modify-user-group-information-are-collected.md | 2.23 确保收集修改用户/组信息的事件                   | benchmarks/logging-and-auditing     | 3     |
 | 2.24     | 2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md | 2.24 确保记录成功或不成功使用chsh命令          | benchmarks/logging-and-auditing    | 3     |
+| 2.25     | 2.25-ensure-audit-logs-are-not-automatically-deleted.md | 2.25 确保审计日志不会自动删除          | benchmarks/logging-and-auditing    | 1     |
 | 3.1      | 3.1-disable-http-server.md                                   | 3.1 禁用HTTP Server                                  | benchmarks/services                 | 1     |
 | 3.2      | 3.2-disable-ftp-server.md                                    | 3.2 禁用FTP Server                                   | benchmarks/services                 | 1     |
 | 3.3      | 3.3-disable-dns-server.md                                    | 3.3 禁用DNS Server                                   | benchmarks/services                 | 1     |
diff --git a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
new file mode 100644
index 0000000..8b1ee94
--- /dev/null
+++ b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf
\ No newline at end of file
diff --git a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
new file mode 100644
index 0000000..25e9129
--- /dev/null
+++ b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+result=false
+
+output=$(grep "max_log_file_action" /etc/audit/auditd.conf)
+
+if [ "$output" == "max_log_file_action = keep_logs" ]; then
+  result=true
+fi
+
+if [ "$result" = true ] ; then
+    echo "pass"
+else
+    echo "fail"
+fi
\ No newline at end of file
-- 
Gitee


From 5098371de7177369fbf2144d46540342f477bf01 Mon Sep 17 00:00:00 2001
From: delerrr <deler@hust.edu.cn>
Date: Sun, 23 Apr 2023 16:04:59 +0800
Subject: [PATCH 2/9] Added benchmark,remediation-kits,scanners for rule
 2.25-ensure-audit-logs-are-not-automatically-deleted

---
 .../2.25-ensure-audit-logs-are-not-automatically-deleted.md     | 2 +-
 .../2.25-ensure-audit-logs-are-not-automatically-deleted.sh     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
index c2f491a..8336608 100644
--- a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
+++ b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
@@ -2,7 +2,7 @@
 
 ## 安全等级
 
-- Level 1
+- Level 3
 
 ## 描述：
 
diff --git a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
index 25e9129..d8fae78 100644
--- a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
+++ b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
@@ -5,7 +5,7 @@ result=false
 output=$(grep "max_log_file_action" /etc/audit/auditd.conf)
 
 if [ "$output" == "max_log_file_action = keep_logs" ]; then
-  result=true
+    result=true
 fi
 
 if [ "$result" = true ] ; then
-- 
Gitee


From ff53344522ae6cd3226860dfa526abcb67f563e6 Mon Sep 17 00:00:00 2001
From: delerrr <deler@hust.edu.cn>
Date: Sun, 23 Apr 2023 16:08:21 +0800
Subject: [PATCH 3/9] Added benchmark,remediation-kits,scanners for rule
 2.25-ensure-audit-logs-are-not-automatically-deleted

---
 docs/summary-of-rules.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md
index 0e4e181..6417f5b 100644
--- a/docs/summary-of-rules.md
+++ b/docs/summary-of-rules.md
@@ -75,7 +75,7 @@
 | 2.22     | 2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md | 2.22 确保收集对系统管理范围（sudoers）的更改         | benchmarks/logging-and-auditing     | 3     |
 | 2.23     | 2.23-ensure-that-events-that-modify-user-group-information-are-collected.md | 2.23 确保收集修改用户/组信息的事件                   | benchmarks/logging-and-auditing     | 3     |
 | 2.24     | 2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md | 2.24 确保记录成功或不成功使用chsh命令          | benchmarks/logging-and-auditing    | 3     |
-| 2.25     | 2.25-ensure-audit-logs-are-not-automatically-deleted.md | 2.25 确保审计日志不会自动删除          | benchmarks/logging-and-auditing    | 1     |
+| 2.25     | 2.25-ensure-audit-logs-are-not-automatically-deleted.md | 2.25 确保审计日志不会自动删除          | benchmarks/logging-and-auditing    | 3     |
 | 3.1      | 3.1-disable-http-server.md                                   | 3.1 禁用HTTP Server                                  | benchmarks/services                 | 1     |
 | 3.2      | 3.2-disable-ftp-server.md                                    | 3.2 禁用FTP Server                                   | benchmarks/services                 | 1     |
 | 3.3      | 3.3-disable-dns-server.md                                    | 3.3 禁用DNS Server                                   | benchmarks/services                 | 1     |
-- 
Gitee


From 3ace0a7308f6818dce0a7960136e57b029de79a6 Mon Sep 17 00:00:00 2001
From: delerrr <deler@hust.edu.cn>
Date: Sun, 23 Apr 2023 16:36:25 +0800
Subject: [PATCH 4/9] Added benchmark,remediation-kits,scanners for rule
 2.25-ensure-audit-logs-are-not-automatically-deleted

---
 .../2.25-ensure-audit-logs-are-not-automatically-deleted.md | 2 +-
 .../2.25-ensure-audit-logs-are-not-automatically-deleted.sh | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
index 8336608..c1316b5 100644
--- a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
+++ b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
@@ -6,7 +6,7 @@
 
 ## 描述：
 
-出于安全考虑，维护长时间的审计历史记录利大于弊。在`/etc/audit/auditd.conf`中，`max_log_file_action`选项告诉系统当检测到已达到最大文件大小限制时采取什么行动。当该选项设置为`keep_logs`时，系统将永远不会删除旧日志而是将日志进行旋转（更改日志文件名称以确保越新的日志编号越小）。
+出于安全考虑，维护长时间的审计历史记录利大于弊。在`/etc/audit/auditd.conf`中，`max_log_file_action`配置项指定max_log_file容量达到设定的值时采取的动作。当该配置项设置为`keep_logs`时，系统将循环日志文件但会忽略num_logs参数（也就是不删除日志文件）。
 
 ## 修复建议
 
diff --git a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
index 8b1ee94..5ca9a07 100644
--- a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
+++ b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
@@ -1,3 +1,7 @@
 #!/bin/bash
 
-sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf
\ No newline at end of file
+if grep -q "^max_log_file_action" /etc/audit/auditd.conf; then
+    sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf
+else
+    echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf
+fi
\ No newline at end of file
-- 
Gitee


From 7bf662295c5c12c7efa89fd60c8ca9825b6415c3 Mon Sep 17 00:00:00 2001
From: delerrr <deler@hust.edu.cn>
Date: Sun, 23 Apr 2023 16:38:25 +0800
Subject: [PATCH 5/9] Added benchmark,remediation-kits,scanners for rule
 2.25-ensure-audit-logs-are-not-automatically-deleted

---
 .../2.25-ensure-audit-logs-are-not-automatically-deleted.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
index c1316b5..d24ea85 100644
--- a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
+++ b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
@@ -6,7 +6,7 @@
 
 ## 描述：
 
-出于安全考虑，维护长时间的审计历史记录利大于弊。在`/etc/audit/auditd.conf`中，`max_log_file_action`配置项指定max_log_file容量达到设定的值时采取的动作。当该配置项设置为`keep_logs`时，系统将循环日志文件但会忽略num_logs参数（也就是不删除日志文件）。
+出于安全考虑，维护长时间的审计历史记录利大于弊。在`/etc/audit/auditd.conf`中，`max_log_file_action`配置项指定`max_log_file`容量达到设定的值时采取的动作。当该配置项设置为`keep_logs`时，系统将循环日志文件但会忽略num_logs参数（也就是不删除日志文件）。
 
 ## 修复建议
 
-- 
Gitee


From a29e8f825fd7170b4791b644c4ecbd23b41d8fa9 Mon Sep 17 00:00:00 2001
From: delerrr <deler@hust.edu.cn>
Date: Sun, 23 Apr 2023 16:59:51 +0800
Subject: [PATCH 6/9] Added benchmark,remediation-kits,scanners for rule
 2.25-ensure-audit-logs-are-not-automatically-deleted

---
 .../2.25-ensure-audit-logs-are-not-automatically-deleted.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
index d8fae78..db4ea96 100644
--- a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
+++ b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
@@ -1,10 +1,10 @@
 #!/bin/bash
-
+ 
 result=false
 
-output=$(grep "max_log_file_action" /etc/audit/auditd.conf)
+[[ -e /etc/audit/auditd.conf ]] && output=$(grep -P "^max_log_file_action\s*=.*" /etc/audit/auditd.conf | cut -f2 -d= | sed -e 's/^[ ]*//g')
 
-if [ "$output" == "max_log_file_action = keep_logs" ]; then
+if [[ "$output" == "keep_logs" ]] ; then
     result=true
 fi
 
-- 
Gitee


From e334de4c0f7d9b6c853a4dbfe1c2a469618eb713 Mon Sep 17 00:00:00 2001
From: delerrr <deler@hust.edu.cn>
Date: Sun, 23 Apr 2023 17:04:57 +0800
Subject: [PATCH 7/9] Added benchmark,remediation-kits,scanners for rule
 2.25-ensure-audit-logs-are-not-automatically-deleted

---
 .../2.25-ensure-audit-logs-are-not-automatically-deleted.sh | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
index db4ea96..a5ed931 100644
--- a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
+++ b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
@@ -1,14 +1,8 @@
 #!/bin/bash
  
-result=false
-
 [[ -e /etc/audit/auditd.conf ]] && output=$(grep -P "^max_log_file_action\s*=.*" /etc/audit/auditd.conf | cut -f2 -d= | sed -e 's/^[ ]*//g')
 
 if [[ "$output" == "keep_logs" ]] ; then
-    result=true
-fi
-
-if [ "$result" = true ] ; then
     echo "pass"
 else
     echo "fail"
-- 
Gitee


From 4d49f41777ede4222df9c457a3706612f73cf4f5 Mon Sep 17 00:00:00 2001
From: delerrr <deler@hust.edu.cn>
Date: Sun, 23 Apr 2023 17:21:41 +0800
Subject: [PATCH 8/9] Added benchmark,remediation-kits,scanners for rule
 2.25-ensure-audit-logs-are-not-automatically-deleted

---
 .../2.25-ensure-audit-logs-are-not-automatically-deleted.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
index d24ea85..6892e79 100644
--- a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
+++ b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
@@ -12,7 +12,7 @@
 
 在`/etc/audit/auditd.conf`中将`max_log_file_action`选项设置为`keep_logs`：
 
-```
+```bash
 max_log_file_action = keep_logs
 ```
 
-- 
Gitee


From 270c9e6f45f06675521e643c2c1996a95b33aba4 Mon Sep 17 00:00:00 2001
From: delerrr <deler@hust.edu.cn>
Date: Sun, 23 Apr 2023 17:27:33 +0800
Subject: [PATCH 9/9] Added benchmark,remediation-kits,scanners for rule
 2.25-ensure-audit-logs-are-not-automatically-deleted

---
 .../2.25-ensure-audit-logs-are-not-automatically-deleted.sh | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
index 5ca9a07..f97599e 100644
--- a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
+++ b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
@@ -1,7 +1,3 @@
 #!/bin/bash
 
-if grep -q "^max_log_file_action" /etc/audit/auditd.conf; then
-    sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf
-else
-    echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf
-fi
\ No newline at end of file
+grep -Psq "^max_log_file_action\s*=.*" /etc/audit/auditd.conf && sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf
\ No newline at end of file
-- 
Gitee