3 # Script to concatenate rules files found in a base audit rules directory
4 # to form a single /etc/audit/audit.rules file suitable for loading into
5 # the Linux audit system
7 # When forming the interim rules file, both empty lines and comment
8 # lines (starting with # or <whitespace>#) are stripped as the source files
11 # Having formed the interim rules file, the script checks if the file is empty
12 # or is identical to the existing /etc/audit/audit.rules and if either of
13 # these cases are true, it does not replace the existing file
19 # Destination rules file
21 # Directory location to find component rule files
23 # Temporary interim rules file
25 # Suffix for previous audit.rules file if this script replaces it.
26 # The file is left in the destination directory with suffix with $ASuffix
28 DestinationFile=/etc/audit/audit.rules
29 SourceRulesDir=/etc/audit/rules.d
30 TmpRules=`mktemp /tmp/aurules.XXXXXXXX`
35 usage="Usage: $0 [--check|--load]"
37 # Delete the interim file on faults
38 trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15
41 if [ $LoadRules -eq 1 ] ; then
42 auditctl -R ${DestinationFile}
49 if [ "$1" = "--check" ] ; then
51 elif [ "$1" = "--load" ] ; then
61 if [ ! -d ${SourceRulesDir} ]; then
62 echo "$0: No rules directory - ${SourceRulesDir}"
68 # Create the interim rules file ensuring its access modes protect it
69 # from normal users and strip empty lines and comment lines. We also ensure
70 # - the last processed -D directive without an option is emitted as the first
71 # line. -D directives with options are left in place
72 # - the last processed -b directory is emitted as the second line
73 # - the last processed -f directory is emitted as the third line
74 # - the last processed -e directive is emitted as the last line
76 echo "## This file is automatically generated from $SourceRulesDir" >> ${TmpRules}
77 for rules in $(/bin/ls -1v ${SourceRulesDir} | grep ".rules$") ; do
78 cat ${SourceRulesDir}/${rules}
87 if (length($0) < 1) { next; }
88 if (match($0, "^\\s*#")) { next; }
89 if (match($0, "^\\s*-e")) { minus_e = $0; next; }
90 if (match($0, "^\\s*-D\\s*$")) { minus_D = $0; next; }
91 if (match($0, "^\\s*-f")) { minus_f = $0; next; }
92 if (match($0, "^\\s*-b")) { minus_b = $0; next; }
96 printf "%s\n%s\n%s\n", minus_D, minus_b, minus_f;
97 for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; }
98 printf "%s\n", minus_e;
102 if [ ! -s ${TmpRules} ]; then
109 # If the same then quit
110 cmp -s ${TmpRules} ${DestinationFile} > /dev/null 2>&1
111 if [ $? -eq 0 ]; then
116 elif [ $OnlyCheck -eq 1 ] ; then
117 echo "$0: Rules have changed and should be updated"
121 # Otherwise we install the new file
122 if [ -f ${DestinationFile} ]; then
123 cp ${DestinationFile} ${DestinationFile}.prev
125 # We copy the file so that it gets the right selinux lable
126 cp ${TmpRules} ${DestinationFile}