Uninstalling GuardMode Agent on SAMBA setup

To remove GuardMode Agent from your SAMBA setup, paste the script below into your terminal:

remove_full_audit_from_shares ()
{
    FILE="${1}"
    STRING="vfs\s*objects\s*=\s*full_audit"
    if grep -q "${STRING}" "${FILE}" &>/dev/null ; then
        sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" "${FILE}"
        sed -i "\#${STRING}#d" /etc/samba/smb.conf
    fi
}
 
 
restore_smb_audit_conf()
{
    remove_full_audit_from_shares "/etc/samba/smb.conf"
 
    xIFS=$IFS ; IFS=$'\n'
 
    for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -o "^\s*\S*" | grep -v \" | grep -v \' | grep -v \\\\ | -tr -d "[:blank:]" )
        do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
 
    for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*\".*?\"" | grep -o "\".*\"" | tr -d '"' )
        do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
 
    for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*'.*?'" | grep -o "'.*'" | tr -d "'" )
        do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
 
    IFS=$xIFS
 
    STRING="include\s*=\s*/etc/samba/catalogic\.audit\.conf"
    if grep -q "${STRING}" /etc/samba/smb.conf &>/dev/null ; then
        sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" /etc/samba/smb.conf
        sed -i "\#${STRING}#d" /etc/samba/smb.conf
    fi
    rm -rf /etc/samba/catalogic.audit.conf                                                                                                                                                   
}                                                                                                                                                                                            
restore_smb_audit_conf                                                                                                                                                                       

rm -rf /etc/systemd/journald.conf.d/99-catalogic.conf                                                                                                                                        

 
rsyslog_selectors_info()
 
{
    local CURRENT_SELECTOR="${1}"
    local ORIGINAL_SELECTOR="${2}"
    local FILE="${3}"
 
    echo
    echo -e "The selector \"${CURRENT_SELECTOR}\" has been found in \"${FILE}\" file."
    echo -e "Possibly the result of a swap from the selector \"${ORIGINAL_SELECTOR}\" during configuration."
    echo -e "It can now be manually swapped back to the original selector \"${ORIGINAL_SELECTOR}\"."
}
 
 
check_rsyslog_selectors()
 
{
    local FILE="${1}"
    local FOUND=false
 
    if grep -q "local5\.info" "${FILE}" &>/dev/null ; then
        rsyslog_selectors_info "local5.info" "local5.debug" "${FILE}" ; FOUND=true
    fi
 
    if grep -q "local5\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then
        rsyslog_selectors_info "local5.*;local5.!=debug" "local5.*" "${FILE}" ; FOUND=true
    fi
 
    if grep -q "\*\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then
        rsyslog_selectors_info "*.*;local5.!=debug" "*.*" "${FILE}" ; FOUND=true
    fi
 
    if "${FOUND}" ; then
        echo
        echo "If you do not use rsyslog selectors for a specific purpose,"
        echo "you can either leave the file/files unchanged or restore it/them to its/their original state."
    fi
}
 
 
restore_rsyslog_conf()
{
 
    STRING='$IncludeConfig /etc/rsyslog.d/catalogic.cfg'
 
    if grep -q "${STRING}" "/etc/rsyslog.conf" &>/dev/null ; then
        sed -i ":a;N;\$!ba;s#\n[^ \t]*\n[^ \t]*${STRING}#\n${STRING}#g" "/etc/rsyslog.conf"
        sed -i ":a;N;\$!ba;s#${STRING}[^ \t]*\n[^ \t]*\n#${STRING}\n#g" "/etc/rsyslog.conf"
        sed -i ":a;N;\$!ba;s#${STRING}\n[^ \t]*\$#${STRING}#" "/etc/rsyslog.conf"
        sed -i "\#${STRING}#d" "/etc/rsyslog.conf"
    fi
 
    rm -rf /etc/rsyslog.d/catalogic.cfg
 
    check_rsyslog_selectors "/etc/rsyslog.conf"
    for CONF_FILE in /etc/rsyslog.d/*.conf ; do
        if [ -s "${CONF_FILE}" ] ; then
            check_rsyslog_selectors "${CONF_FILE}"
        fi
    done
}
 
 
set_selinux()
 
  #RED HAT 7
   yum install policycoreutils-python
  #RED HAT 8, 9
   yum install policycoreutils-python-utils
 
   semanage port -d -t syslogd_port_t -p tcp 65432
 
#Optional:
  #RED HAT 7
   yum remove policycoreutils-python
#Optional:
  #RED HAT 8, 9
   yum remove policycoreutils-python-utils
 
 
systemctl restart smb
systemctl restart systemd-journald
systemctl restart rsyslog
 
 
/opt/catalogic/guard-mode/agent/Catalogic.GuardMode.Agent config update smb --enabled False
 
systemctl restart Catalogic.GuardMode.Agent

This script performs the following operations:

  1. Removes Full Audit from SAMBA shares

  2. Restores SAMBA Audit configuration

  3. Cleans up rsyslog and systemd Configurations

  4. Checks and restores rsyslog selectors

  5. Restores rsyslog configuration

  6. Adjusts SELinux settings

  7. Restarts services and updating configurations

Last updated