vm-skills/node-hardening/scripts/40_auditd_setup.sh

#!/usr/bin/env bash
set -euo pipefail

SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"

: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${BACKUP_DIR:=$OUTPUT_DIR/backups}"
: "${TEMPLATE_DIR:=$SKILL_ROOT/templates}"

log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }
log_error() { echo "[ERROR] $(date -Iseconds) $*" >&2; }

die() { log_error "$@"; exit 1; }

ensure_auditd() {
  if command -v auditctl &>/dev/null; then
    return 0
  fi
  log_warn "auditd not found; attempting install (Debian/Ubuntu)"
  if command -v apt-get &>/dev/null; then
    sudo apt-get update -y
    sudo apt-get install -y auditd audispd-plugins
  else
    die "auditd not installed and apt-get not available. Install manually."
  fi
}

main() {
  mkdir -p "$OUTPUT_DIR" "$BACKUP_DIR"

  local enabled="${AUDITD_ENABLE:-true}"
  if [[ "$enabled" != "true" && "$enabled" != "1" ]]; then
    log_info "AUDITD_ENABLE disabled; skipping"
    exit 0
  fi

  local dry="${DRY_RUN:-1}"
  [[ "$dry" == "0" ]] || die "Refusing to apply with DRY_RUN=$dry. Export DRY_RUN=0 to proceed."

  ensure_auditd

  sudo systemctl enable auditd

  local rules_path="/etc/audit/rules.d/node-hardening.rules"
  if [[ -f "$rules_path" ]]; then
    sudo cp -a "$rules_path" "$BACKUP_DIR/node-hardening.rules.before"
  fi

  log_info "Writing $rules_path"
  sudo install -m 0640 /dev/null "$rules_path"
  sudo cp "$TEMPLATE_DIR/auditd_rules.tpl" "$rules_path"

  log_info "Loading audit rules"
  sudo augenrules --load || sudo service auditd restart || true

  log_info "auditd setup complete"
}

[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"