Uninstalling GuardMode Agent on SAMBA setup
To remove GuardMode Agent from your SAMBA setup, paste the script below into your terminal:
remove_full_audit_from_shares ()
{
FILE="${1}"
STRING="vfs\s*objects\s*=\s*full_audit"
if grep -q "${STRING}" "${FILE}" &>/dev/null ; then
sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" "${FILE}"
sed -i "\#${STRING}#d" /etc/samba/smb.conf
fi
}
restore_smb_audit_conf()
{
remove_full_audit_from_shares "/etc/samba/smb.conf"
xIFS=$IFS ; IFS=$'\n'
for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -o "^\s*\S*" | grep -v \" | grep -v \' | grep -v \\\\ | -tr -d "[:blank:]" )
do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*\".*?\"" | grep -o "\".*\"" | tr -d '"' )
do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*'.*?'" | grep -o "'.*'" | tr -d "'" )
do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
IFS=$xIFS
STRING="include\s*=\s*/etc/samba/catalogic\.audit\.conf"
if grep -q "${STRING}" /etc/samba/smb.conf &>/dev/null ; then
sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" /etc/samba/smb.conf
sed -i "\#${STRING}#d" /etc/samba/smb.conf
fi
rm -rf /etc/samba/catalogic.audit.conf
}
restore_smb_audit_conf
rm -rf /etc/systemd/journald.conf.d/99-catalogic.conf
rsyslog_selectors_info()
{
local CURRENT_SELECTOR="${1}"
local ORIGINAL_SELECTOR="${2}"
local FILE="${3}"
echo
echo -e "The selector \"${CURRENT_SELECTOR}\" has been found in \"${FILE}\" file."
echo -e "Possibly the result of a swap from the selector \"${ORIGINAL_SELECTOR}\" during configuration."
echo -e "It can now be manually swapped back to the original selector \"${ORIGINAL_SELECTOR}\"."
}
check_rsyslog_selectors()
{
local FILE="${1}"
local FOUND=false
if grep -q "local5\.info" "${FILE}" &>/dev/null ; then
rsyslog_selectors_info "local5.info" "local5.debug" "${FILE}" ; FOUND=true
fi
if grep -q "local5\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then
rsyslog_selectors_info "local5.*;local5.!=debug" "local5.*" "${FILE}" ; FOUND=true
fi
if grep -q "\*\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then
rsyslog_selectors_info "*.*;local5.!=debug" "*.*" "${FILE}" ; FOUND=true
fi
if "${FOUND}" ; then
echo
echo "If you do not use rsyslog selectors for a specific purpose,"
echo "you can either leave the file/files unchanged or restore it/them to its/their original state."
fi
}
restore_rsyslog_conf()
{
STRING='$IncludeConfig /etc/rsyslog.d/catalogic.cfg'
if grep -q "${STRING}" "/etc/rsyslog.conf" &>/dev/null ; then
sed -i ":a;N;\$!ba;s#\n[^ \t]*\n[^ \t]*${STRING}#\n${STRING}#g" "/etc/rsyslog.conf"
sed -i ":a;N;\$!ba;s#${STRING}[^ \t]*\n[^ \t]*\n#${STRING}\n#g" "/etc/rsyslog.conf"
sed -i ":a;N;\$!ba;s#${STRING}\n[^ \t]*\$#${STRING}#" "/etc/rsyslog.conf"
sed -i "\#${STRING}#d" "/etc/rsyslog.conf"
fi
rm -rf /etc/rsyslog.d/catalogic.cfg
check_rsyslog_selectors "/etc/rsyslog.conf"
for CONF_FILE in /etc/rsyslog.d/*.conf ; do
if [ -s "${CONF_FILE}" ] ; then
check_rsyslog_selectors "${CONF_FILE}"
fi
done
}
set_selinux()
#RED HAT 7
yum install policycoreutils-python
#RED HAT 8, 9
yum install policycoreutils-python-utils
semanage port -d -t syslogd_port_t -p tcp 65432
#Optional:
#RED HAT 7
yum remove policycoreutils-python
#Optional:
#RED HAT 8, 9
yum remove policycoreutils-python-utils
systemctl restart smb
systemctl restart systemd-journald
systemctl restart rsyslog
/opt/catalogic/guard-mode/agent/Catalogic.GuardMode.Agent config update smb --enabled False
systemctl restart Catalogic.GuardMode.Agent
This script performs the following operations:
Removes Full Audit from SAMBA shares
Restores SAMBA Audit configuration
Cleans up rsyslog and systemd Configurations
Checks and restores rsyslog selectors
Restores rsyslog configuration
Adjusts SELinux settings
Restarts services and updating configurations
Last updated