Imported Upstream version 2.4.3

[platform/upstream/audit.git] / init.d / augenrules

#!/bin/bash

# Script to concatenate rules files found in a base audit rules directory
# to form a single /etc/audit/audit.rules file suitable for loading into
# the Linux audit system

# When forming the interim rules file, both empty lines and comment
# lines (starting with # or <whitespace>#) are stripped as the source files
# are processed.
#
# Having formed the interim rules file, the script checks if the file is empty
# or is identical to the existing /etc/audit/audit.rules and if either of
# these cases are true, it does not replace the existing file
#

# Variables
#
# DestinationFile:
#   Destination rules file
# SourceRulesDir:
#   Directory location to find component rule files
# TmpRules:
#   Temporary interim rules file
# ASuffix:
#   Suffix for previous audit.rules file if this script replaces it.
#   The file is left in the destination directory with suffix with $ASuffix

DestinationFile=/etc/audit/audit.rules
SourceRulesDir=/etc/audit/rules.d
TmpRules=`mktemp /tmp/aurules.XXXXXXXX`
ASuffix="prev"
OnlyCheck=0
LoadRules=0
RETVAL=0
usage="Usage: $0 [--check|--load]"

# Delete the interim file on faults
trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15

try_load() {
        if [ $LoadRules -eq 1 ] ; then
                auditctl -R ${DestinationFile}
                RETVAL=$?
        fi
}

while [ $# -ge 1 ]
do
        if [ "$1" = "--check" ] ; then
                OnlyCheck=1
        elif [ "$1" = "--load" ] ; then
                LoadRules=1
        else
                echo "$usage"
                exit 1
        fi
        shift
done

# Check environment
if [ ! -d ${SourceRulesDir} ]; then
        echo "$0: No rules directory - ${SourceRulesDir}"
        rm -f ${TmpRules}
        try_load
        exit 1
fi

# Create the interim rules file ensuring its access modes protect it
# from normal users and strip empty lines and comment lines. We also ensure
#   - the last processed -D directive without an option is emitted as the first
#     line. -D directives with options are left in place
#   - the last processed -b directory is emitted as the second line
#   - the last processed -f directory is emitted as the third line
#   - the last processed -e directive is emitted as the last line
umask 0137
echo "## This file is automatically generated from $SourceRulesDir" >> ${TmpRules}
for rules in $(/bin/ls -1v ${SourceRulesDir} | grep ".rules$") ; do
        cat ${SourceRulesDir}/${rules}
done | awk '\
BEGIN   {
        minus_e = "";
        minus_D = "";
        minus_f = "";
        minus_b = "";
        rest = 0;
} {
        if (length($0) < 1) { next; }
        if (match($0, "^\\s*#")) { next; }
        if (match($0, "^\\s*-e")) { minus_e = $0; next; }
        if (match($0, "^\\s*-D\\s*$")) { minus_D = $0; next; }
        if (match($0, "^\\s*-f")) { minus_f = $0; next; }
        if (match($0, "^\\s*-b")) { minus_b = $0; next; }
        rules[rest++] = $0;
}
END     {
        printf "%s\n%s\n%s\n", minus_D, minus_b, minus_f;
        for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; }
        printf "%s\n", minus_e;
}' >> ${TmpRules}

# If empty then quit
if [ ! -s ${TmpRules} ]; then
        echo "$0: No rules"
        rm -f ${TmpRules}
        try_load
        exit $RETVAL
fi

# If the same then quit
cmp -s ${TmpRules} ${DestinationFile} > /dev/null 2>&1
if [ $? -eq 0 ]; then
        echo "$0: No change"
        rm -f ${TmpRules}
        try_load
        exit $RETVAL
elif [ $OnlyCheck -eq 1 ] ; then
        echo "$0: Rules have changed and should be updated"
        exit 0
fi

# Otherwise we install the new file
if [ -f ${DestinationFile} ]; then
        cp ${DestinationFile} ${DestinationFile}.prev
fi
# We copy the file so that it gets the right selinux lable
cp ${TmpRules} ${DestinationFile}
rm -f ${TmpRules}

try_load
exit $RETVAL