Uninstalling GuardMode Agent on SAMBA setup
To remove GuardMode Agent from your SAMBA setup, paste the script below into your terminal:
remove_full_audit_from_shares ()
{
FILE="${1}"
STRING="vfs\s*objects\s*=\s*full_audit"
if grep -q "${STRING}" "${FILE}" &>/dev/null ; then
sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" "${FILE}"
sed -i "\#${STRING}#d" /etc/samba/smb.conf
fi
}
restore_smb_audit_conf()
{
remove_full_audit_from_shares "/etc/samba/smb.conf"
xIFS=$IFS ; IFS=$'\n'
for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -o "^\s*\S*" | grep -v \" | grep -v \' | grep -v \\\\ | -tr -d "[:blank:]" )
do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*\".*?\"" | grep -o "\".*\"" | tr -d '"' )
do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
for INCLUDED_FILE in $( grep "^\s*include\s*=" /etc/samba/smb.conf | cut -d= -f2 | grep -oP "^\s*'.*?'" | grep -o "'.*'" | tr -d "'" )
do remove_full_audit_from_shares "${INCLUDED_FILE}" ; done
IFS=$xIFS
STRING="include\s*=\s*/etc/samba/catalogic\.audit\.conf"
if grep -q "${STRING}" /etc/samba/smb.conf &>/dev/null ; then
sed -i ":a;N;\$!ba;s#\n\s*${STRING}[^\n]*\n##g" /etc/samba/smb.conf
sed -i "\#${STRING}#d" /etc/samba/smb.conf
fi
rm -rf /etc/samba/catalogic.audit.conf
}
restore_smb_audit_conf
rm -rf /etc/systemd/journald.conf.d/99-catalogic.conf
rsyslog_selectors_info()
{
local CURRENT_SELECTOR="${1}"
local ORIGINAL_SELECTOR="${2}"
local FILE="${3}"
echo
echo -e "The selector \"${CURRENT_SELECTOR}\" has been found in \"${FILE}\" file."
echo -e "Possibly the result of a swap from the selector \"${ORIGINAL_SELECTOR}\" during configuration."
echo -e "It can now be manually swapped back to the original selector \"${ORIGINAL_SELECTOR}\"."
}
check_rsyslog_selectors()
{
local FILE="${1}"
local FOUND=false
if grep -q "local5\.info" "${FILE}" &>/dev/null ; then
rsyslog_selectors_info "local5.info" "local5.debug" "${FILE}" ; FOUND=true
fi
if grep -q "local5\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then
rsyslog_selectors_info "local5.*;local5.!=debug" "local5.*" "${FILE}" ; FOUND=true
fi
if grep -q "\*\.\*;local5\.!=debug" "${FILE}" &>/dev/null ; then
rsyslog_selectors_info "*.*;local5.!=debug" "*.*" "${FILE}" ; FOUND=true
fi
if "${FOUND}" ; then
echo
echo "If you do not use rsyslog selectors for a specific purpose,"
echo "you can either leave the file/files unchanged or restore it/them to its/their original state."
fi
}
restore_rsyslog_conf()
{
STRING='$IncludeConfig /etc/rsyslog.d/catalogic.cfg'
if grep -q "${STRING}" "/etc/rsyslog.conf" &>/dev/null ; then
sed -i ":a;N;\$!ba;s#\n[^ \t]*\n[^ \t]*${STRING}#\n${STRING}#g" "/etc/rsyslog.conf"
sed -i ":a;N;\$!ba;s#${STRING}[^ \t]*\n[^ \t]*\n#${STRING}\n#g" "/etc/rsyslog.conf"
sed -i ":a;N;\$!ba;s#${STRING}\n[^ \t]*\$#${STRING}#" "/etc/rsyslog.conf"
sed -i "\#${STRING}#d" "/etc/rsyslog.conf"
fi
rm -rf /etc/rsyslog.d/catalogic.cfg
check_rsyslog_selectors "/etc/rsyslog.conf"
for CONF_FILE in /etc/rsyslog.d/*.conf ; do
if [ -s "${CONF_FILE}" ] ; then
check_rsyslog_selectors "${CONF_FILE}"
fi
done
}
set_selinux()
#RED HAT 7
yum install policycoreutils-python
#RED HAT 8, 9
yum install policycoreutils-python-utils
semanage port -d -t syslogd_port_t -p tcp 65432
#Optional:
#RED HAT 7
yum remove policycoreutils-python
#Optional:
#RED HAT 8, 9
yum remove policycoreutils-python-utils
systemctl restart smb
systemctl restart systemd-journald
systemctl restart rsyslog
/opt/catalogic/guard-mode/agent/Catalogic.GuardMode.Agent config update smb --enabled False
systemctl restart Catalogic.GuardMode.Agent
This script performs the following operations:
- Removes Full Audit from SAMBA shares
- Restores SAMBA Audit configuration
- Cleans up rsyslog and systemd Configurations
- Checks and restores rsyslog selectors
- Restores rsyslog configuration
- Adjusts SELinux settings
- Restarts services and updating configurations