From 474b34afd307eed72b50bdc3684b1bc308c1f573ddfb6da8286324af603c6d6e Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Thu, 9 Oct 2025 23:26:55 +0100 Subject: [PATCH] ## V8.13.096.2025.10.09 Signed-off-by: Marc S. Weidner --- config/hooks/live/9996_auditd.chroot | 68 ++++++++++------------------ 1 file changed, 24 insertions(+), 44 deletions(-) diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot index 62fec8f..080760f 100644 --- a/config/hooks/live/9996_auditd.chroot +++ b/config/hooks/live/9996_auditd.chroot @@ -338,58 +338,38 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules -e 2 EOF -chmod 0640 /etc/audit/rules.d/*.rules +shopt -s nullglob +rules=(/etc/audit/rules.d/*.rules) +if (( ${#rules[@]} == 0 )); then + log "ERROR: /etc/audit/rules.d is empty. Seed rules before this hook." + exit 127 +fi -### Sanity checks: reject empty or malformed rulesets early. if ! /sbin/augenrules --check >/dev/null 2>&1; then - - log "ERROR: [/sbin/augenrules --check] failed. Please fix /etc/audit/rules.d/*.rules" - exit 1 - + log "ERROR: augenrules --check failed. Fix the *.rules first." + exit 128 fi -if /sbin/augenrules; then +# shellcheck disable=2155 +declare tmp="$(mktemp)" +printf '%s\0' "${rules[@]}" \ + | xargs -0 -I{} basename "{}" \ + | sort -V \ + | while read -r fname; do + f="/etc/audit/rules.d/${fname}" + ### Normalize CRLF and strip UTF-8 BOM. + sed -e 's/\r$//' -e '1s/^\xEF\xBB\xBF//' "${f}" >> "${tmp}" + printf '\n' >> "${tmp}" + done - log "INFO: [/sbin/augenrules] successful." - -else - - log "ERROR: [/sbin/augenrules] failed." +install -m 0600 -o root -g root "${tmp}" /etc/audit/audit.rules +rm -f "${tmp}" +if ! grep -Eq '(^-a|^-w|^-e[[:space:]]+1|^-e[[:space:]]+2)' /etc/audit/audit.rules; then + log "WARN: /etc/audit/audit.rules contains no -a/-w rules or '-e 1/2'; is this intended?" fi -### Permissions hardening (augenrules typically sets sane perms; enforce anyway). -### 0600 is conservative; 0640 root:root is also acceptable. -if [[ -f /etc/audit/audit.rules ]]; then - - chown root:root /etc/audit/audit.rules - chmod 0640 /etc/audit/audit.rules - -else - - log "ERROR: Expected /etc/audit/audit.rules was not created" - exit 2 - -fi - -### Minimal enablement checks for the first boot. -### Ensure auditd will try to load rules at boot (systemd unit usually does this). -### No-op on systems where auditd is socket-activated or already preset. -if command -v systemctl >/dev/null 2>&1; then - - ### Do not 'enable' in live images unless desired; we only make sure the unit exists. - systemctl --no-reload --quiet cat auditd.service >/dev/null || log "WARN: auditd.service not found at build time" - -fi - -### Quick validation that the merged file is non-trivial. -if ! grep -Eq '(^-a|^-w|^-e\s+1)' /etc/audit/audit.rules; then - - log "WARN: /etc/audit/audit.rules contains no active rules (-a/-w/-e). Is this intended?" - -fi - -log "Done. /etc/audit/audit.rules is precompiled." +log "Done. /etc/audit/audit.rules generated at build-time (no kernel load)." printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"