/
augenrules
149 lines (134 loc) · 4.04 KB
/
augenrules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/bin/sh
# Script to concatenate rules files found in a base audit rules directory
# to form a single /etc/audit/audit.rules file suitable for loading into
# the Linux audit system
# When forming the interim rules file, both empty lines and comment
# lines (starting with # or <whitespace>#) are stripped as the source files
# are processed.
#
# Having formed the interim rules file, the script checks if the file is empty
# or is identical to the existing /etc/audit/audit.rules and if either of
# these cases are true, it does not replace the existing file
#
# Variables
#
# DestinationFile:
# Destination rules file
# SourceRulesDir:
# Directory location to find component rule files
# TmpRules:
# Temporary interim rules file
# ASuffix:
# Suffix for previous audit.rules file if this script replaces it.
# The file is left in the destination directory with suffix with $ASuffix
DestinationFile=/etc/audit/audit.rules
SourceRulesDir=/etc/audit/rules.d
TmpRules=$(mktemp /tmp/aurules.XXXXXXXX)
ASuffix="prev"
OnlyCheck=0
LoadRules=0
RETVAL=0
cmd="$0"
usage="Usage: $cmd [--check|--load]"
# Delete the interim file on faults
trap 'rm -f ${TmpRules}; exit 1' HUP INT QUIT PIPE TERM
try_load() {
if [ $LoadRules -eq 1 ] ; then
/sbin/auditctl -R ${DestinationFile}
RETVAL=$?
fi
}
# Check if audit is in immutable mode - exit if so
check_immutable () {
if [ "$(auditctl -s | awk '$1 == "enabled" { print $2 }')" = "2" ] ; then
echo "$cmd: Audit system is in immutable mode - exiting with no changes"
exit 0
fi
}
while [ $# -ge 1 ]
do
if [ "$1" = "--check" ] ; then
OnlyCheck=1
elif [ "$1" = "--load" ] ; then
LoadRules=1
else
echo "$usage"
exit 1
fi
shift
done
# Check environment
if [ ! -d ${SourceRulesDir} ]; then
echo "$cmd: No rules directory - ${SourceRulesDir}"
rm -f "${TmpRules}"
try_load
exit 1
fi
# Create the interim rules file ensuring its access modes protect it
# from normal users and strip empty lines and comment lines. We also ensure
# - the last processed -D directive without an option is emitted as the first
# line. -D directives with options are left in place
# - the last processed -b directory is emitted as the second line
# - the last processed -f directory is emitted as the third line
# - the last processed -e directive is emitted as the last line
umask 0137
echo "## This file is automatically generated from $SourceRulesDir" >> "${TmpRules}"
for rules in $(/bin/ls -1v ${SourceRulesDir} | grep "\.rules$") ; do
cat ${SourceRulesDir}/"${rules}"
done | awk '
BEGIN {
minus_e = "";
minus_D = "";
minus_f = "";
minus_b = "";
rest = 0;
} {
sub(/\r$/, "");
if (length($0) < 1) { next; }
if (match($0, "^\\s*#")) { next; }
if (match($0, "^\\s*-e")) { minus_e = $0; next; }
if (match($0, "^\\s*-D\\s*$")) { minus_D = $0; next; }
if (match($0, "^\\s*-f")) { minus_f = $0; next; }
if (match($0, "^\\s*-b")) { minus_b = $0; next; }
rules[rest++] = $0;
}
END {
printf "%s\n%s\n%s\n", minus_D, minus_b, minus_f;
for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; }
printf "%s\n", minus_e;
}' >> "${TmpRules}"
# If empty then quit
if [ ! -s "${TmpRules}" ]; then
echo "$cmd: No rules"
rm -f "${TmpRules}"
try_load
exit $RETVAL
fi
# If the same then quit
cmp -s "${TmpRules}" ${DestinationFile} > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "$cmd: No change"
rm -f "${TmpRules}"
check_immutable
try_load
exit $RETVAL
elif [ $OnlyCheck -eq 1 ] ; then
echo "$cmd: Rules have changed and should be updated"
rm -f "${TmpRules}"
exit 0
fi
# Otherwise we install the new file
check_immutable
if [ -f ${DestinationFile} ]; then
cp ${DestinationFile} ${DestinationFile}.${ASuffix}
fi
# We copy the file so that it gets the right selinux label
cp "${TmpRules}" ${DestinationFile}
chmod 0640 ${DestinationFile}
# Restore context on MLS system. /tmp is SystemLow & audit.rules is SystemHigh
if [ -x /usr/sbin/restorecon ] ; then
/usr/sbin/restorecon -F ${DestinationFile}
fi
rm -f "${TmpRules}"
try_load
exit $RETVAL