-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathconfigure-rsyslog.tpl.sh
145 lines (124 loc) · 5.18 KB
/
configure-rsyslog.tpl.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#!/bin/bash
# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
#
# SPDX-License-Identifier: Apache-2.0
set -o errexit
set -o nounset
set -o pipefail
auditd_metrics_file="{{ .nodeExporterTextfileCollectorDir }}/rsyslog_auditd.prom"
function remove_auditd_config() {
if [[ -d {{ .pathAuditRulesBackupDir }} ]]; then
if [[ -f {{ .pathSyslogAuditPlugin }} ]]; then
sed -i "s/^active\\>.*/active = no/i" {{ .pathSyslogAuditPlugin }}
fi
if [[ -f {{ .audispSyslogPluginPath }} ]]; then
sed -i "s/^active\\>.*/active = no/i" {{ .audispSyslogPluginPath }}
fi
if [[ -d {{ .pathAuditRulesDir }} ]]; then
rm -rf {{ .pathAuditRulesDir }}
fi
cp -fa {{ .pathAuditRulesBackupDir }} {{ .pathAuditRulesDir }}
## The original audit rules might be erroneus so we ignore any errors here.
augenrules --load || true
systemctl restart auditd
rm -f "${auditd_metrics_file}"
rm -rf {{ .pathAuditRulesBackupDir }}
fi
}
function configure_auditd() {
if [[ ! -d {{ .pathAuditRulesFromOSCDir }} ]] || [ -z "$( ls -A '{{ .pathAuditRulesFromOSCDir }}' )" ] ; then
remove_auditd_config
return 0
fi
if [[ ! -d {{ .pathAuditRulesBackupDir }} ]] && [[ -d {{ .pathAuditRulesDir }} ]]; then
mv {{ .pathAuditRulesDir }} {{ .pathAuditRulesBackupDir }}
fi
restart_auditd=false
if [[ ! -d {{ .pathAuditRulesDir }} ]]; then
mkdir -p {{ .pathAuditRulesDir }}
fi
if ! diff -rq {{ .pathAuditRulesFromOSCDir }} {{ .pathAuditRulesDir }} ; then
rm -rf {{ .pathAuditRulesDir }}/*
cp -fL {{ .pathAuditRulesFromOSCDir }}/* {{ .pathAuditRulesDir }}/
augenrules_load_metric="# HELP rsyslog_augenrules_load_success shows whether the 'augenrules --load' command was executed successfully or not.\n# TYPE rsyslog_augenrules_load_success gauge\nrsyslog_augenrules_load_success"
error=$(augenrules --load 2>&1 > /dev/null)
if [[ -n "$error" ]]; then
logger -p error "Error loading audit rules: $error"
echo -e "${augenrules_load_metric} 0" > "${auditd_metrics_file}"
else
echo -e "${augenrules_load_metric} 1" > "${auditd_metrics_file}"
fi
restart_auditd=true
fi
path_syslog_audit_plugin={{ .pathSyslogAuditPlugin }}
if [[ -f {{ .audispSyslogPluginPath }} ]]; then
path_syslog_audit_plugin={{ .audispSyslogPluginPath }}
fi
if [[ -f "$path_syslog_audit_plugin" ]] && \
grep -m 1 -qie "^active\\>" "$path_syslog_audit_plugin" && \
! grep -m 1 -qie "^active\\> = yes" "$path_syslog_audit_plugin" ; then
sed -i "s/^active\\>.*/active = yes/i" "$path_syslog_audit_plugin"
restart_auditd=true
fi
if ! systemctl is-active --quiet auditd.service ; then
# Ensure that the auditd service is running.
systemctl start auditd.service
elif [ "${restart_auditd}" = true ]; then
systemctl restart auditd.service
fi
# If the `systemd-journald-audit.socket` socket exists and is enabled, then journald also fetches audit logs from it.
# To avoid duplication we disable it and only rely on the syslog audit plugin.
if systemctl list-unit-files systemd-journald-audit.socket > /dev/null ; then
if systemctl is-enabled --quiet systemd-journald-audit.socket ; then
systemctl disable systemd-journald-audit.socket
fi
if systemctl is-active --quiet systemd-journald-audit.socket ; then
systemctl stop systemd-journald-audit.socket
systemctl restart systemd-journald
fi
fi
}
function configure_rsyslog() {
# Enable the rsyslog service so that necessary symlinks can be created under /etc/systemd/system (e.g. /etc/systemd/system/syslog.service)
if ! systemctl is-enabled --quiet rsyslog.service ; then
systemctl enable rsyslog.service
fi
if [[ ! -d {{ .rsyslogRelpQueueSpoolDir }} ]]; then
mkdir -p {{ .rsyslogRelpQueueSpoolDir }}
fi
restart_rsyslog=false
if [[ ! -f {{ .pathRsyslogAuditConf }} ]] || ! diff -rq {{ .pathRsyslogAuditConfFromOSC }} {{ .pathRsyslogAuditConf }} ; then
cp -fL {{ .pathRsyslogAuditConfFromOSC }} {{ .pathRsyslogAuditConf }}
restart_rsyslog=true
fi
if [[ -d {{ .pathRsyslogTLSFromOSCDir }} ]] && [[ -n "$(ls -A "{{ .pathRsyslogTLSFromOSCDir }}" )" ]]; then
if [[ ! -d {{ .pathRsyslogTLSDir }} ]]; then
mkdir -p {{ .pathRsyslogTLSDir }}
fi
if ! diff -rq {{ .pathRsyslogTLSFromOSCDir }} {{ .pathRsyslogTLSDir }} ; then
rm -rf {{ .pathRsyslogTLSDir }}/*
cp -fL {{ .pathRsyslogTLSFromOSCDir }}/* {{ .pathRsyslogTLSDir }}/
restart_rsyslog=true
fi
elif [[ -d {{ .pathRsyslogTLSDir }} ]]; then
rm -rf {{ .pathRsyslogTLSDir }}
fi
if ! systemctl is-active --quiet rsyslog.service ; then
# Ensure that the rsyslog service is running.
systemctl start rsyslog.service
elif [ "${restart_rsyslog}" = true ]; then
systemctl restart rsyslog.service
fi
}
if systemctl list-unit-files auditd.service > /dev/null; then
echo "Configuring auditd.service ..."
configure_auditd
else
echo "auditd.service is not installed, skipping configuration"
fi
if systemctl list-unit-files rsyslog.service > /dev/null; then
echo "Configuring rsyslog.service ..."
configure_rsyslog
else
echo "rsyslog.service and syslog.service are not installed, skipping configuration"
fi