## V8.13.096.2025.10.09

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-09 20:57:08 +01:00
parent e682b6ac17
commit d3f9bec31c
52 changed files with 263 additions and 88 deletions
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -14,11 +14,20 @@

 set -Ceuo pipefail

+#######################################
+# Simple error terminal logger.
+# Arguments:
+#   None
+#######################################
+log() { printf '[auditd-build] %s\n' "${*}" >&2; }
+
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root

-apt-get install auditd -y
+export DEBIAN_FRONTEND="noninteractive"
+
+apt-get install -y auditd

 cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
 cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
@@ -329,8 +338,53 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
 -e 2
 EOF

+
+### Sanity checks: reject empty or malformed rulesets early.
+if ! augenrules --check >/dev/null 2>&1; then
+
+  log "ERROR: augenrules --check failed. Please fix /etc/audit/rules.d/*.rules"
+  exit 1
+
+fi
+
+### This writes '/etc/audit/audit.rules'.
+log "Compiling /etc/audit/audit.rules (no load)"
+augenrules --no-load
+
+### Permissions hardening (augenrules typically sets sane perms; enforce anyway).
+### 0600 is conservative; 0640 root:root is also acceptable.
+if [[ -f /etc/audit/audit.rules ]]; then
+
+  chown root:root /etc/audit/audit.rules
+  chmod 0600 /etc/audit/audit.rules
+
+else
+
+  log "ERROR: Expected /etc/audit/audit.rules was not created"
+  exit 2
+
+fi
+
+### Minimal enablement checks for the first boot.
+### Ensure auditd will try to load rules at boot (systemd unit usually does this).
+### No-op on systems where auditd is socket-activated or already preset.
+if command -v systemctl >/dev/null 2>&1; then
+
+  ### Do not 'enable' in live images unless desired; we only make sure the unit exists.
+  systemctl --no-reload --quiet cat auditd.service >/dev/null || log "WARN: auditd.service not found at build time"
+
+fi
+
+### Quick validation that the merged file is non-trivial.
+if ! grep -Eq '(^-a|^-w|^-e\s+1)' /etc/audit/audit.rules; then
+
+  log "WARN: /etc/audit/audit.rules contains no active rules (-a/-w/-e). Is this intended?"
+
+fi
+
+log "Done. /etc/audit/audit.rules is precompiled."
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh