Uninstalling GuardMode Agent on SAMBA setup

To remove GuardMode Agent from your SAMBA setup, paste the script below into your terminal:

remove_full_audit_from_shares ()
{
    FILE="${1}"
    STRING="vfs\s*objects\s*=\s*full_audit"
    if grep -q "${STRING}" "${FILE}" &>/dev/null ; then
        sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" "${FILE}"
        sed -i "\#${STRING}#d" /etc/samba/smb.conf
    fi
}
 
 
restore_smb_audit_conf()
{
    remove_full_audit_from_shares "/etc/samba/smb.conf"
 
    xIFS=$IFS ; IFS=$'\n'
 
    for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -o "^\s*\S*" | grep -v \" | grep -v \' | grep -v \\\\ | -tr -d "[:blank:]" )
        do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
 
    for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*\".*?\"" | grep -o "\".*\"" | tr -d '"' )
        do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
 
    for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*'.*?'" | grep -o "'.*'" | tr -d "'" )
        do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
 
    IFS=$xIFS
 
    STRING="include\s*=\s*/etc/samba/catalogic\.audit\.conf"
    if grep -q "${STRING}" /etc/samba/smb.conf &>/dev/null ; then
        sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" /etc/samba/smb.conf
        sed -i "\#${STRING}#d" /etc/samba/smb.conf
    fi
    rm -rf /etc/samba/catalogic.audit.conf                                                                                                                                                   
}                                                                                                                                                                                            
restore_smb_audit_conf                                                                                                                                                                       

rm -rf /etc/systemd/journald.conf.d/99-catalogic.conf                                                                                                                                        

 
rsyslog_selectors_info()
 
{
    local CURRENT_SELECTOR="${1}"
    local ORIGINAL_SELECTOR="${2}"
    local FILE="${3}"
 
    echo
    echo -e "The selector \"${CURRENT_SELECTOR}\" has been found in \"${FILE}\" file."
    echo -e "Possibly the result of a swap from the selector \"${ORIGINAL_SELECTOR}\" during configuration."
    echo -e "It can now be manually swapped back to the original selector \"${ORIGINAL_SELECTOR}\"."
}
 
 
check_rsyslog_selectors()
 
{
    local FILE="${1}"
    local FOUND=false
 
    if grep -q "local5\.info" "${FILE}" &>/dev/null ; then
        rsyslog_selectors_info "local5.info" "local5.debug" "${FILE}" ; FOUND=true
    fi
 
    if grep -q "local5\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then
        rsyslog_selectors_info "local5.*;local5.!=debug" "local5.*" "${FILE}" ; FOUND=true
    fi
 
    if grep -q "\*\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then
        rsyslog_selectors_info "*.*;local5.!=debug" "*.*" "${FILE}" ; FOUND=true
    fi
 
    if "${FOUND}" ; then
        echo
        echo "If you do not use rsyslog selectors for a specific purpose,"
        echo "you can either leave the file/files unchanged or restore it/them to its/their original state."
    fi
}
 
 
restore_rsyslog_conf()
{
 
    STRING='$IncludeConfig /etc/rsyslog.d/catalogic.cfg'
 
    if grep -q "${STRING}" "/etc/rsyslog.conf" &>/dev/null ; then
        sed -i ":a;N;\$!ba;s#\n[^ \t]*\n[^ \t]*${STRING}#\n${STRING}#g" "/etc/rsyslog.conf"
        sed -i ":a;N;\$!ba;s#${STRING}[^ \t]*\n[^ \t]*\n#${STRING}\n#g" "/etc/rsyslog.conf"
        sed -i ":a;N;\$!ba;s#${STRING}\n[^ \t]*\$#${STRING}#" "/etc/rsyslog.conf"
        sed -i "\#${STRING}#d" "/etc/rsyslog.conf"
    fi
 
    rm -rf /etc/rsyslog.d/catalogic.cfg
 
    check_rsyslog_selectors "/etc/rsyslog.conf"
    for CONF_FILE in /etc/rsyslog.d/*.conf ; do
        if [ -s "${CONF_FILE}" ] ; then
            check_rsyslog_selectors "${CONF_FILE}"
        fi
    done
}
 
 
set_selinux()
 
  #RED HAT 7
   yum install policycoreutils-python
  #RED HAT 8, 9
   yum install policycoreutils-python-utils
 
   semanage port -d -t syslogd_port_t -p tcp 65432
 
#Optional:
  #RED HAT 7
   yum remove policycoreutils-python
#Optional:
  #RED HAT 8, 9
   yum remove policycoreutils-python-utils
 
 
systemctl restart smb
systemctl restart systemd-journald
systemctl restart rsyslog
 
 
/opt/catalogic/guard-mode/agent/Catalogic.GuardMode.Agent config update smb --enabled False
 
systemctl restart Catalogic.GuardMode.Agent

This script performs the following operations:

Removes Full Audit from SAMBA shares
Restores SAMBA Audit configuration
Cleans up rsyslog and systemd Configurations
Checks and restores rsyslog selectors
Restores rsyslog configuration
Adjusts SELinux settings
Restarts services and updating configurations

PreviousConfiguring GuardMode Agent for SAMBA setup NextAgent Configuration

Last updated 11 months ago

remove_full_audit_from_shares () { FILE="${1}" STRING="vfs\s*objects\s*=\s*full_audit" if grep -q "${STRING}" "${FILE}" &>/dev/null ; then sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" "${FILE}" sed -i "\#${STRING}#d" /etc/samba/smb.conf fi } restore_smb_audit_conf() { remove_full_audit_from_shares "/etc/samba/smb.conf" xIFS=$IFS ; IFS=$'\n' for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -o "^\s*\S*" | grep -v \" | grep -v \' | grep -v \\\\ | -tr -d "[:blank:]" ) do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*\".*?\"" | grep -o "\".*\"" | tr -d '"' ) do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*'.*?'" | grep -o "'.*'" | tr -d "'" ) do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done IFS=$xIFS STRING="include\s*=\s*/etc/samba/catalogic\.audit\.conf" if grep -q "${STRING}" /etc/samba/smb.conf &>/dev/null ; then sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" /etc/samba/smb.conf sed -i "\#${STRING}#d" /etc/samba/smb.conf fi rm -rf /etc/samba/catalogic.audit.conf } restore_smb_audit_conf rm -rf /etc/systemd/journald.conf.d/99-catalogic.conf rsyslog_selectors_info() { local CURRENT_SELECTOR="${1}" local ORIGINAL_SELECTOR="${2}" local FILE="${3}" echo echo -e "The selector \"${CURRENT_SELECTOR}\" has been found in \"${FILE}\" file." echo -e "Possibly the result of a swap from the selector \"${ORIGINAL_SELECTOR}\" during configuration." echo -e "It can now be manually swapped back to the original selector \"${ORIGINAL_SELECTOR}\"." } check_rsyslog_selectors() { local FILE="${1}" local FOUND=false if grep -q "local5\.info" "${FILE}" &>/dev/null ; then rsyslog_selectors_info "local5.info" "local5.debug" "${FILE}" ; FOUND=true fi if grep -q "local5\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then rsyslog_selectors_info "local5.*;local5.!=debug" "local5.*" "${FILE}" ; FOUND=true fi if grep -q "\*\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then rsyslog_selectors_info "*.*;local5.!=debug" "*.*" "${FILE}" ; FOUND=true fi if "${FOUND}" ; then echo echo "If you do not use rsyslog selectors for a specific purpose," echo "you can either leave the file/files unchanged or restore it/them to its/their original state." fi } restore_rsyslog_conf() { STRING='$IncludeConfig /etc/rsyslog.d/catalogic.cfg' if grep -q "${STRING}" "/etc/rsyslog.conf" &>/dev/null ; then sed -i ":a;N;\$!ba;s#\n[^ \t]*\n[^ \t]*${STRING}#\n${STRING}#g" "/etc/rsyslog.conf" sed -i ":a;N;\$!ba;s#${STRING}[^ \t]*\n[^ \t]*\n#${STRING}\n#g" "/etc/rsyslog.conf" sed -i ":a;N;\$!ba;s#${STRING}\n[^ \t]*\$#${STRING}#" "/etc/rsyslog.conf" sed -i "\#${STRING}#d" "/etc/rsyslog.conf" fi rm -rf /etc/rsyslog.d/catalogic.cfg check_rsyslog_selectors "/etc/rsyslog.conf" for CONF_FILE in /etc/rsyslog.d/*.conf ; do if [ -s "${CONF_FILE}" ] ; then check_rsyslog_selectors "${CONF_FILE}" fi done } set_selinux() #RED HAT 7 yum install policycoreutils-python #RED HAT 8, 9 yum install policycoreutils-python-utils semanage port -d -t syslogd_port_t -p tcp 65432 #Optional: #RED HAT 7 yum remove policycoreutils-python #Optional: #RED HAT 8, 9 yum remove policycoreutils-python-utils systemctl restart smb systemctl restart systemd-journald systemctl restart rsyslog /opt/catalogic/guard-mode/agent/Catalogic.GuardMode.Agent config update smb --enabled False systemctl restart Catalogic.GuardMode.Agent