Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Autoupdate script #145

Open
DavidOsipov opened this issue May 26, 2024 · 1 comment
Open

Autoupdate script #145

DavidOsipov opened this issue May 26, 2024 · 1 comment

Comments

@DavidOsipov
Copy link

DavidOsipov commented May 26, 2024
edited
Loading

Hi Florian,

Thank you for the rules you're maintaining. I've created a small script in order to autoupdate my local auditd rules with this repo.
Might be you and others would be interested in using it too.

Script 
#!/bin/bash

set -e
set -u
set -o pipefail

# Define paths and URLs
LOCAL_RULES="/etc/audit/rules.d/audit.rules"
REMOTE_RULES_URL="https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules"
LOG_FILE="/var/log/custom_logs/auditd_updater.log"
BACKUP_FILE="/etc/audit/rules.d/audit.rules.bak"
B3SUM_CMD="b3sum"

# Create log directory if it doesn't exist
mkdir -p "$(dirname "$LOG_FILE")"

# Function to log messages with levels
log_message() {
    local level="$1"
    local message="$2"
    local timestamp
    timestamp=$(date +"%Y-%m-%d %H:%M:%S")
    echo "[$timestamp] [$level] $message" >> "$LOG_FILE"
}

# Function to check if b3sum is installed and install it if not
check_and_install_b3sum() {
    if ! command -v b3sum &> /dev/null; then
        log_message "INFO" "b3sum not found. Installing..."
        if command -v apt-get &> /dev/null; then
            apt-get update && apt-get install -y b3sum
        elif command -v yum &> /dev/null; then
            yum install -y b3sum
        else
            log_message "ERROR" "Package manager not found. Cannot install b3sum."
            exit 1
        fi
        log_message "INFO" "b3sum installed successfully."
    else
        log_message "INFO" "b3sum is already installed."
    fi
}

# Function to calculate checksum
calculate_checksum() {
    local file_path="$1"
    if ! checksum=$("$B3SUM_CMD" --no-names "$file_path"); then
        log_message "ERROR" "Checksum calculation failed for $file_path"
        exit 1
    fi
    echo "$checksum"
}

# Function to download remote file
download_remote_file() {
    local temp_file="$1"
    local http_status
    http_status=$(curl -w '%{http_code}' -f -s -o "$temp_file" "$REMOTE_RULES_URL")
    if [ "$http_status" -ne 200 ]; then
        log_message "ERROR" "Failed to download from $REMOTE_RULES_URL, HTTP status code: $http_status"
        return 1 
    fi
    # Check for the expected header text in the file content
    local expected_header="#      ___             ___ __      __
#     /   | __  ______/ (_) /_____/ /
#    / /| |/ / / / __  / / __/ __  /
#   / ___ / /_/ / /_/ / / /_/ /_/ /
#  /_/  |_\__,_/\__,_/_/\__/\__,_/
#
# Linux Audit Daemon - Best Practice Configuration
# /etc/audit/audit.rules
#
# Compiled by Florian Roth
#"
    if ! head -n 11 "$temp_file" | grep -Fq "$expected_header"; then
        log_message "ERROR" "Downloaded file does not contain the expected header"
        return 1
    fi
    return 0 # Success
}

# Function to restart auditd service
restart_auditd_service() {
    if command -v systemctl &> /dev/null; then
        systemctl restart auditd
    elif command -v service &> /dev/null; then
        service auditd restart
    elif command -v initctl &> /dev/null; then
        initctl restart auditd
    else
        log_message "ERROR" "Unable to determine the method to restart the auditd service. Please restart the auditd service manually."
        exit 1
    fi
}

# Main script execution
log_message "INFO" "Starting audit.rules update process."

# Check and install b3sum if necessary
check_and_install_b3sum

# Create temporary file
TEMP_FILE=$(mktemp /var/tmp/audit.rules.XXXXXX)
# Ensure temporary file is removed on exit or error
trap 'rm -f "$TEMP_FILE"' EXIT

# Calculate local file checksum
local_checksum=$(calculate_checksum "$LOCAL_RULES")

# Download the remote file
if ! download_remote_file "$TEMP_FILE"; then
    log_message "ERROR" "Update failed."
    exit 1
fi

# Calculate remote file checksum
remote_checksum=$(calculate_checksum "$TEMP_FILE")

# Compare checksums
if [ "$local_checksum" == "$remote_checksum" ]; then
    log_message "INFO" "No update needed. Exiting."
    exit 0 
fi

# Backup the existing local file
cp "$LOCAL_RULES" "$BACKUP_FILE"
log_message "INFO" "Backup created at $BACKUP_FILE"

# Replace the local file with the remote file
mv -b "$TEMP_FILE" "$LOCAL_RULES"

# Recalculate the local checksum for verification
new_local_checksum=$(calculate_checksum "$LOCAL_RULES")

# Verify the update
if [ "$new_local_checksum" == "$remote_checksum" ]; then
    log_message "INFO" "audit.rules updated successfully."

    # Restart auditd service
    if restart_auditd_service; then
        log_message "INFO" "auditd service restarted."
    else
        log_message "ERROR" "Failed to restart auditd service."
        exit 1 
    fi
else
    log_message "ERROR" "Update failed: Checksums do not match!"
    exit 1
fi

log_message "INFO" "Finished audit.rules update process."
@DavidOsipov DavidOsipov changed the title Aduitd autoupdate script Autoupdate script May 26, 2024
@Pierre-Gronau-ndaal
Copy link
Contributor

checkout as well:

https://gitlab.com/ndaal_open_source/ndaal_public_auditd/-/blob/main/dataset/audit_best_practices.rules?ref_type=heads

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DavidOsipov @Pierre-Gronau-ndaal