Skip to content

Autoupdate script #145

New issue
New issue
Open
Open
Autoupdate script#145
@DavidOsipov

Description

@DavidOsipov
DavidOsipov
opened on May 26, 2024

Hi Florian,

Thank you for the rules you're maintaining. I've created a small script in order to autoupdate my local auditd rules with this repo.
Might be you and others would be interested in using it too.

Script 
#!/bin/bash

set -e
set -u
set -o pipefail

# Define paths and URLs
LOCAL_RULES="/etc/audit/rules.d/audit.rules"
REMOTE_RULES_URL="https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules"
LOG_FILE="/var/log/custom_logs/auditd_updater.log"
BACKUP_FILE="/etc/audit/rules.d/audit.rules.bak"
B3SUM_CMD="b3sum"

# Create log directory if it doesn't exist
mkdir -p "$(dirname "$LOG_FILE")"

# Function to log messages with levels
log_message() {
    local level="$1"
    local message="$2"
    local timestamp
    timestamp=$(date +"%Y-%m-%d %H:%M:%S")
    echo "[$timestamp] [$level] $message" >> "$LOG_FILE"
}

# Function to check if b3sum is installed and install it if not
check_and_install_b3sum() {
    if ! command -v b3sum &> /dev/null; then
        log_message "INFO" "b3sum not found. Installing..."
        if command -v apt-get &> /dev/null; then
            apt-get update && apt-get install -y b3sum
        elif command -v yum &> /dev/null; then
            yum install -y b3sum
        else
            log_message "ERROR" "Package manager not found. Cannot install b3sum."
            exit 1
        fi
        log_message "INFO" "b3sum installed successfully."
    else
        log_message "INFO" "b3sum is already installed."
    fi
}

# Function to calculate checksum
calculate_checksum() {
    local file_path="$1"
    if ! checksum=$("$B3SUM_CMD" --no-names "$file_path"); then
        log_message "ERROR" "Checksum calculation failed for $file_path"
        exit 1
    fi
    echo "$checksum"
}

# Function to download remote file
download_remote_file() {
    local temp_file="$1"
    local http_status
    http_status=$(curl -w '%{http_code}' -f -s -o "$temp_file" "$REMOTE_RULES_URL")
    if [ "$http_status" -ne 200 ]; then
        log_message "ERROR" "Failed to download from $REMOTE_RULES_URL, HTTP status code: $http_status"
        return 1 
    fi
    # Check for the expected header text in the file content
    local expected_header="#      ___             ___ __      __
#     /   | __  ______/ (_) /_____/ /
#    / /| |/ / / / __  / / __/ __  /
#   / ___ / /_/ / /_/ / / /_/ /_/ /
#  /_/  |_\__,_/\__,_/_/\__/\__,_/
#
# Linux Audit Daemon - Best Practice Configuration
# /etc/audit/audit.rules
#
# Compiled by Florian Roth
#"
    if ! head -n 11 "$temp_file" | grep -Fq "$expected_header"; then
        log_message "ERROR" "Downloaded file does not contain the expected header"
        return 1
    fi
    return 0 # Success
}

# Function to restart auditd service
restart_auditd_service() {
    if command -v systemctl &> /dev/null; then
        systemctl restart auditd
    elif command -v service &> /dev/null; then
        service auditd restart
    elif command -v initctl &> /dev/null; then
        initctl restart auditd
    else
        log_message "ERROR" "Unable to determine the method to restart the auditd service. Please restart the auditd service manually."
        exit 1
    fi
}

# Main script execution
log_message "INFO" "Starting audit.rules update process."

# Check and install b3sum if necessary
check_and_install_b3sum

# Create temporary file
TEMP_FILE=$(mktemp /var/tmp/audit.rules.XXXXXX)
# Ensure temporary file is removed on exit or error
trap 'rm -f "$TEMP_FILE"' EXIT

# Calculate local file checksum
local_checksum=$(calculate_checksum "$LOCAL_RULES")

# Download the remote file
if ! download_remote_file "$TEMP_FILE"; then
    log_message "ERROR" "Update failed."
    exit 1
fi

# Calculate remote file checksum
remote_checksum=$(calculate_checksum "$TEMP_FILE")

# Compare checksums
if [ "$local_checksum" == "$remote_checksum" ]; then
    log_message "INFO" "No update needed. Exiting."
    exit 0 
fi

# Backup the existing local file
cp "$LOCAL_RULES" "$BACKUP_FILE"
log_message "INFO" "Backup created at $BACKUP_FILE"

# Replace the local file with the remote file
mv -b "$TEMP_FILE" "$LOCAL_RULES"

# Recalculate the local checksum for verification
new_local_checksum=$(calculate_checksum "$LOCAL_RULES")

# Verify the update
if [ "$new_local_checksum" == "$remote_checksum" ]; then
    log_message "INFO" "audit.rules updated successfully."

    # Restart auditd service
    if restart_auditd_service; then
        log_message "INFO" "auditd service restarted."
    else
        log_message "ERROR" "Failed to restart auditd service."
        exit 1 
    fi
else
    log_message "ERROR" "Update failed: Checksums do not match!"
    exit 1
fi

log_message "INFO" "Finished audit.rules update process."

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions