#!/usr/bin/sh
# Script to concatenate rules files found in a base audit rules directory
# to form a single /etc/audit/audit.rules file suitable for loading into
# the Linux audit system
# When forming the interim rules file, both empty lines and comment
# lines (starting with # or <whitespace>#) are stripped as the source files
# are processed.
#
# Having formed the interim rules file, the script checks if the file is empty
# or is identical to the existing /etc/audit/audit.rules and if either of
# these cases are true, it does not replace the existing file
#
# Variables
#
# DestinationFile:
# Destination rules file
# SourceRulesDir:
# Directory location to find component rule files
# TmpRules:
# Temporary interim rules file
# ASuffix:
# Suffix for previous audit.rules file if this script replaces it.
# The file is left in the destination directory with suffix with $ASuffix
DestinationFile=/etc/audit/audit.rules
SourceRulesDir=/etc/audit/rules.d
TmpRules=$(mktemp /tmp/aurules.XXXXXXXX)
ASuffix="prev"
OnlyCheck=0
LoadRules=0
RETVAL=0
cmd="$0"
usage="Usage: $cmd [--check|--load]"
# Delete the interim file on faults
trap 'rm -f ${TmpRules}; exit 1' HUP INT QUIT PIPE TERM
try_load() {
if [ $LoadRules -eq 1 ] ; then
/sbin/auditctl -R ${DestinationFile}
RETVAL=$?
fi
}
# Check if audit is in immutable mode - exit if so
check_immutable () {
if [ "$(auditctl -s | awk '$1 == "enabled" { print $2 }')" = "2" ] ; then
echo "$cmd: Audit system is in immutable mode - exiting with no changes"
exit 0
fi
}
while [ $# -ge 1 ]
do
if [ "$1" = "--check" ] ; then
OnlyCheck=1
elif [ "$1" = "--load" ] ; then
LoadRules=1
else
echo "$usage"
exit 1
fi
shift
done
# Check environment
if [ ! -d ${SourceRulesDir} ]; then
echo "$cmd: No rules directory - ${SourceRulesDir}"
rm -f "${TmpRules}"
try_load
exit 1
fi
# Create the interim rules file ensuring its access modes protect it
# from normal users and strip empty lines and comment lines. We also ensure
# - the last processed -D directive without an option is emitted as the first
# line. -D directives with options are left in place
# - the last processed -b directory is emitted as the second line
# - the last processed -f directory is emitted as the third line
# - the last processed -e directive is emitted as the last line
umask 0137
echo "## This file is automatically generated from $SourceRulesDir" >> "${TmpRules}"
for rules in $(/bin/ls -1v ${SourceRulesDir} | grep "\.rules$") ; do
cat ${SourceRulesDir}/"${rules}"
done | awk '
BEGIN {
minus_e = "";
minus_D = "";
minus_f = "";
minus_b = "";
rest = 0;
} {
sub(/\r$/, "");
if (length($0) < 1) { next; }
if (match($0, "^\\s*#")) { next; }
if (match($0, "^\\s*-e")) { minus_e = $0; next; }
if (match($0, "^\\s*-D\\s*$")) { minus_D = $0; next; }
if (match($0, "^\\s*-f")) { minus_f = $0; next; }
if (match($0, "^\\s*-b")) { minus_b = $0; next; }
rules[rest++] = $0;
}
END {
printf "%s\n%s\n%s\n", minus_D, minus_b, minus_f;
for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; }
printf "%s\n", minus_e;
}' >> "${TmpRules}"
# If empty then quit
if [ ! -s "${TmpRules}" ]; then
echo "$cmd: No rules"
rm -f "${TmpRules}"
try_load
exit $RETVAL
fi
# If the same then quit
cmp -s "${TmpRules}" ${DestinationFile} > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$cmd: No change"
rm -f "${TmpRules}"
check_immutable
try_load
exit $RETVAL
elif [ $OnlyCheck -eq 1 ] ; then
echo "$cmd: Rules have changed and should be updated"
rm -f "${TmpRules}"
exit 0
fi
# Otherwise we install the new file
check_immutable
if [ -f ${DestinationFile} ]; then
cp ${DestinationFile} ${DestinationFile}.${ASuffix}
fi
# We copy the file so that it gets the right selinux lable
cp "${TmpRules}" ${DestinationFile}
chmod 0640 ${DestinationFile}
# Restore context on MLS system. /tmp is SystemLow & audit.rules is SystemHigh
if [ -x /usr/sbin/restorecon ] ; then
/usr/sbin/restorecon -F ${DestinationFile}
fi
rm -f "${TmpRules}"
try_load
exit $RETVAL
All system for education purposes only. For more tools: Telegram @jackleet