auditd icon indicating copy to clipboard operation
auditd copied to clipboard

Published 20 hours ago verified publisher icon Neo23x0

Autoupdate script

Open DavidOsipov opened this issue 1 year ago • 1 comments
trafficstars

Hi Florian,

Thank you for the rules you're maintaining. I've created a small script in order to autoupdate my local auditd rules with this repo. Might be you and others would be interested in using it too.

Script 
#!/bin/bash

set -e
set -u
set -o pipefail

# Define paths and URLs
LOCAL_RULES="/etc/audit/rules.d/audit.rules"
REMOTE_RULES_URL="https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules"
LOG_FILE="/var/log/custom_logs/auditd_updater.log"
BACKUP_FILE="/etc/audit/rules.d/audit.rules.bak"
B3SUM_CMD="b3sum"

# Create log directory if it doesn't exist
mkdir -p "$(dirname "$LOG_FILE")"

# Function to log messages with levels
log_message() {
    local level="$1"
    local message="$2"
    local timestamp
    timestamp=$(date +"%Y-%m-%d %H:%M:%S")
    echo "[$timestamp] [$level] $message" >> "$LOG_FILE"
}

# Function to check if b3sum is installed and install it if not
check_and_install_b3sum() {
    if ! command -v b3sum &> /dev/null; then
        log_message "INFO" "b3sum not found. Installing..."
        if command -v apt-get &> /dev/null; then
            apt-get update && apt-get install -y b3sum
        elif command -v yum &> /dev/null; then
            yum install -y b3sum
        else
            log_message "ERROR" "Package manager not found. Cannot install b3sum."
            exit 1
        fi
        log_message "INFO" "b3sum installed successfully."
    else
        log_message "INFO" "b3sum is already installed."
    fi
}

# Function to calculate checksum
calculate_checksum() {
    local file_path="$1"
    if ! checksum=$("$B3SUM_CMD" --no-names "$file_path"); then
        log_message "ERROR" "Checksum calculation failed for $file_path"
        exit 1
    fi
    echo "$checksum"
}

# Function to download remote file
download_remote_file() {
    local temp_file="$1"
    local http_status
    http_status=$(curl -w '%{http_code}' -f -s -o "$temp_file" "$REMOTE_RULES_URL")
    if [ "$http_status" -ne 200 ]; then
        log_message "ERROR" "Failed to download from $REMOTE_RULES_URL, HTTP status code: $http_status"
        return 1 
    fi
    # Check for the expected header text in the file content
    local expected_header="#      ___             ___ __      __
#     /   | __  ______/ (_) /_____/ /
#    / /| |/ / / / __  / / __/ __  /
#   / ___ / /_/ / /_/ / / /_/ /_/ /
#  /_/  |_\__,_/\__,_/_/\__/\__,_/
#
# Linux Audit Daemon - Best Practice Configuration
# /etc/audit/audit.rules
#
# Compiled by Florian Roth
#"
    if ! head -n 11 "$temp_file" | grep -Fq "$expected_header"; then
        log_message "ERROR" "Downloaded file does not contain the expected header"
        return 1
    fi
    return 0 # Success
}

# Function to restart auditd service
restart_auditd_service() {
    if command -v systemctl &> /dev/null; then
        systemctl restart auditd
    elif command -v service &> /dev/null; then
        service auditd restart
    elif command -v initctl &> /dev/null; then
        initctl restart auditd
    else
        log_message "ERROR" "Unable to determine the method to restart the auditd service. Please restart the auditd service manually."
        exit 1
    fi
}

# Main script execution
log_message "INFO" "Starting audit.rules update process."

# Check and install b3sum if necessary
check_and_install_b3sum

# Create temporary file
TEMP_FILE=$(mktemp /var/tmp/audit.rules.XXXXXX)
# Ensure temporary file is removed on exit or error
trap 'rm -f "$TEMP_FILE"' EXIT

# Calculate local file checksum
local_checksum=$(calculate_checksum "$LOCAL_RULES")

# Download the remote file
if ! download_remote_file "$TEMP_FILE"; then
    log_message "ERROR" "Update failed."
    exit 1
fi

# Calculate remote file checksum
remote_checksum=$(calculate_checksum "$TEMP_FILE")

# Compare checksums
if [ "$local_checksum" == "$remote_checksum" ]; then
    log_message "INFO" "No update needed. Exiting."
    exit 0 
fi

# Backup the existing local file
cp "$LOCAL_RULES" "$BACKUP_FILE"
log_message "INFO" "Backup created at $BACKUP_FILE"

# Replace the local file with the remote file
mv -b "$TEMP_FILE" "$LOCAL_RULES"

# Recalculate the local checksum for verification
new_local_checksum=$(calculate_checksum "$LOCAL_RULES")

# Verify the update
if [ "$new_local_checksum" == "$remote_checksum" ]; then
    log_message "INFO" "audit.rules updated successfully."

    # Restart auditd service
    if restart_auditd_service; then
        log_message "INFO" "auditd service restarted."
    else
        log_message "ERROR" "Failed to restart auditd service."
        exit 1 
    fi
else
    log_message "ERROR" "Update failed: Checksums do not match!"
    exit 1
fi

log_message "INFO" "Finished audit.rules update process."

DavidOsipov avatar May 26 '24 10:05 DavidOsipov

checkout as well:

https://gitlab.com/ndaal_open_source/ndaal_public_auditd/-/blob/main/dataset/audit_best_practices.rules?ref_type=heads

Pierre-Gronau-ndaal avatar Jul 20 '24 15:07 Pierre-Gronau-ndaal