## V8.13.096.2025.10.09

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/9996_auditd.chroot

@@ -338,58 +338,38 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
 -e 2
 EOF
 
-chmod 0640 /etc/audit/rules.d/*.rules
+shopt -s nullglob
+rules=(/etc/audit/rules.d/*.rules)
+if (( ${#rules[@]} == 0 )); then
+  log "ERROR: /etc/audit/rules.d is empty. Seed rules before this hook."
+  exit 127
+fi
 
-### Sanity checks: reject empty or malformed rulesets early.
 if ! /sbin/augenrules --check >/dev/null 2>&1; then
-
-  log "ERROR: [/sbin/augenrules --check] failed. Please fix /etc/audit/rules.d/*.rules"
-  exit 1
-
+  log "ERROR: augenrules --check failed. Fix the *.rules first."
+  exit 128
 fi
 
-if /sbin/augenrules; then
+# shellcheck disable=2155
+declare tmp="$(mktemp)"
+printf '%s\0' "${rules[@]}" \
+  | xargs -0 -I{} basename "{}" \
+  | sort -V \
+  | while read -r fname; do
+    f="/etc/audit/rules.d/${fname}"
+    ### Normalize CRLF and strip UTF-8 BOM.
+    sed -e 's/\r$//' -e '1s/^\xEF\xBB\xBF//' "${f}" >> "${tmp}"
+    printf '\n' >> "${tmp}"
+  done
 
-  log "INFO: [/sbin/augenrules] successful."
-
-else
-
-  log "ERROR: [/sbin/augenrules] failed."
+install -m 0600 -o root -g root "${tmp}" /etc/audit/audit.rules
+rm -f "${tmp}"
 
+if ! grep -Eq '(^-a|^-w|^-e[[:space:]]+1|^-e[[:space:]]+2)' /etc/audit/audit.rules; then
+  log "WARN: /etc/audit/audit.rules contains no -a/-w rules or '-e 1/2'; is this intended?"
 fi
 
-### Permissions hardening (augenrules typically sets sane perms; enforce anyway).
-### 0600 is conservative; 0640 root:root is also acceptable.
-if [[ -f /etc/audit/audit.rules ]]; then
-
-  chown root:root /etc/audit/audit.rules
-  chmod 0640 /etc/audit/audit.rules
-
-else
-
-  log "ERROR: Expected /etc/audit/audit.rules was not created"
-  exit 2
-
-fi
-
-### Minimal enablement checks for the first boot.
-### Ensure auditd will try to load rules at boot (systemd unit usually does this).
-### No-op on systems where auditd is socket-activated or already preset.
-if command -v systemctl >/dev/null 2>&1; then
-
-  ### Do not 'enable' in live images unless desired; we only make sure the unit exists.
-  systemctl --no-reload --quiet cat auditd.service >/dev/null || log "WARN: auditd.service not found at build time"
-
-fi
-
-### Quick validation that the merged file is non-trivial.
-if ! grep -Eq '(^-a|^-w|^-e\s+1)' /etc/audit/audit.rules; then
-
-  log "WARN: /etc/audit/audit.rules contains no active rules (-a/-w/-e). Is this intended?"
-
-fi
-
-log "Done. /etc/audit/audit.rules is precompiled."
+log "Done. /etc/audit/audit.rules generated at build-time (no kernel load)."
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"