From 5fff4a01e9ab10c048e68f74e5924f2be57bbee9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=BC=86=E9=9B=95=E5=90=8E=E4=BD=B3?=
 <m202171773@hust.edu.cn>
Date: Mon, 24 Apr 2023 10:53:43 +0000
Subject: [PATCH] Added benchmark,remediation-kits,scanners for rule
 2.26-Ensure-the-running-and-on-disk-configuration-is-the-same
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes:#I6YIDA

Signed-off-by: 漆雕后佳 <m202171773@hust.edu.cn>
---
 ...g-and-on-disk-configuration-is-the-same.md | 57 +++++++++++++++++++
 docs/summary-of-rules.md                      |  1 +
 ...g-and-on-disk-configuration-is-the-same.sh |  5 ++
 ...g-and-on-disk-configuration-is-the-same.sh |  3 +
 4 files changed, 66 insertions(+)
 create mode 100644 benchmarks/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.md
 create mode 100644 remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh
 create mode 100644 scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh

diff --git a/benchmarks/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.md b/benchmarks/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.md
new file mode 100644
index 0000000..592612f
--- /dev/null
+++ b/benchmarks/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.md
@@ -0,0 +1,57 @@
+# 2.26 确保审计系统内存配置信息和磁盘配置信息相同
+
+## 安全等级
+
+- Level 1
+
+## 描述
+
+审计系统在磁盘上的系统配置信息可能和内存中的系统配置信息不相同。
+
+通过对审计系统磁盘配置信息和内存配置信息的一致性进行检查，保证审计系统正常运行。
+
+## 修复建议
+
+目标：确保内存中的配置信息和磁盘上存放的配置信息是一致的。
+
+1. 运行以下命令来合并和加载所有的规则：
+
+```bash
+# augenrules --load
+```
+
+2. 检查是否需要重启：
+
+```bash
+if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then
+	echo "Reboot required to load rules";
+fi
+```
+
+## 扫描检测
+
+目标：确保内存中的配置信息和磁盘上存放的配置信息是一致的。
+
+1. 检查`/etc/audit/rules.d`目录下的规则改动是否已合并至`/etc/audit/audit.rules`：
+
+```bash
+# augenrules --check
+
+/usr/sbin/augenrules: No change
+```
+
+如返回`Rules have changed and should be updated`则需执行`augenrules --load`命令来合并并加载所有规则。
+
+2. 在合并规则集之后，再次进行测试：
+
+```bash
+# augenrules --check | grep -Psiq "No\s+change" && echo 'pass' || echo 'fail'
+
+pass
+```
+
+如输出pass，则视为通过此项检查。
+
+## 参考
+
+- cis: <https://www.cisecurity.org/benchmark/aliyun_linux>
\ No newline at end of file
diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md
index c97f4f0..fc8c305 100644
--- a/docs/summary-of-rules.md
+++ b/docs/summary-of-rules.md
@@ -76,6 +76,7 @@
 | 2.23     | 2.23-ensure-that-events-that-modify-user-group-information-are-collected.md | 2.23 确保收集修改用户/组信息的事件                   | benchmarks/logging-and-auditing     | 3     |
 | 2.24     | 2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md | 2.24 确保记录成功或不成功使用chsh命令          | benchmarks/logging-and-auditing    | 3     |
 | 2.25     | 2.25-ensure-audit-logs-are-not-automatically-deleted.md | 2.25 确保审计日志不会自动删除          | benchmarks/logging-and-auditing    | 3     |
+| 2.26     | 2.26-ensure-the-running-and-on-disk-configuration-is-the-same.md | 2.26 确保审计系统内存配置信息和磁盘配置信息相同          | benchmarks/logging-and-auditing    | 1     |
 | 3.1      | 3.1-disable-http-server.md                                   | 3.1 禁用HTTP Server                                  | benchmarks/services                 | 1     |
 | 3.2      | 3.2-disable-ftp-server.md                                    | 3.2 禁用FTP Server                                   | benchmarks/services                 | 1     |
 | 3.3      | 3.3-disable-dns-server.md                                    | 3.3 禁用DNS Server                                   | benchmarks/services                 | 1     |
diff --git a/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh b/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh
new file mode 100644
index 0000000..7352aba
--- /dev/null
+++ b/remediation-kits/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh
@@ -0,0 +1,5 @@
+augenrules --load
+
+if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then 
+    echo "Reboot required to load rules";
+fi
\ No newline at end of file
diff --git a/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh
new file mode 100644
index 0000000..95b17a9
--- /dev/null
+++ b/scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh
@@ -0,0 +1,3 @@
+checkResult=$(augenrules --check)
+
+echo $checkResult | grep -Psiq "No\s+change" && echo 'pass' || echo 'fail'
\ No newline at end of file
-- 
Gitee