#!/bin/sh # # auditd This starts and stops auditd # # chkconfig: 2345 11 88 # description: This starts the Linux Auditing System Daemon, \ # which collects security related events in a dedicated \ # audit log. If this daemon is turned off, audit events \ # will be sent to syslog. # # processname: /sbin/auditd # config: /etc/rc.d/rc.auditd.conf # config: /etc/audit/auditd.conf # pidfile: /var/run/auditd.pid # # Return values according to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - insufficient privilege # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" # Source function library. . /etc/init.d/functions # Allow anyone to run status if [ "$1" = "status" ] ; then status $prog RETVAL=$? exit $RETVAL fi # Check that we are root ... so non-root users stop here test $(id -u) = 0 || exit 4 # Check config test -f /etc/rc.d/rc.auditd.conf && . /etc/rc.d/rc.auditd.conf RETVAL=0 start(){ test -x /sbin/auditd || exit 5 test -f /etc/audit/auditd.conf || exit 6 printf "Starting $prog: " # Localization for auditd is controlled in /etc/synconfig/auditd if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE else LANG="$AUDITD_LANG" LC_TIME="$AUDITD_LANG" LC_ALL="$AUDITD_LANG" LC_MESSAGES="$AUDITD_LANG" LC_NUMERIC="$AUDITD_LANG" LC_MONETARY="$AUDITD_LANG" LC_COLLATE="$AUDITD_LANG" export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE fi unset HOME MAIL USER USERNAME daemon $prog "$EXTRAOPTIONS" RETVAL=$? echo if test $RETVAL = 0 ; then touch /var/lock/subsys/auditd # Prepare the default rules if test x"$USE_AUGENRULES" != "x" ; then if test "`echo $USE_AUGENRULES | tr 'NO' 'no'`" != "no" then test -d /etc/audit/rules.d && /sbin/augenrules fi fi # Load the default rules test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null fi return $RETVAL } stop(){ printf "Stopping $prog: " killproc $prog RETVAL=$? echo rm -f /var/lock/subsys/auditd # Remove watches so shutdown works cleanly if test x"$AUDITD_CLEAN_STOP" != "x" ; then if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" != "no" then /sbin/auditctl -R /etc/audit/audit-stop.rules >/dev/null fi fi return $RETVAL } reload(){ test -f /etc/audit/auditd.conf || exit 6 printf "Reloading configuration: " killproc $prog -HUP RETVAL=$? echo return $RETVAL } rotate(){ printf "Rotating logs: " killproc $prog -USR1 RETVAL=$? echo return $RETVAL } resume(){ printf "Resuming logging: " killproc $prog -USR2 RETVAL=$? echo return $RETVAL } restart(){ test -f /etc/audit/auditd.conf || exit 6 stop start } state(){ state_file="/var/run/auditd.state" printf "Getting auditd internal state: " killproc $prog -CONT RETVAL=$? printf "\n" if [ $? -eq 0 ] ; then if [ -e $state_file ] ; then cat $state_file fi fi echo return $RETVAL } condrestart(){ [ -e /var/lock/subsys/auditd ] && restart return 0 } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload|force-reload) reload ;; rotate) rotate ;; resume) resume ;; state) state ;; condrestart|try-restart) condrestart ;; *) echo "Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|rotate|resume}" RETVAL=3 esac exit $RETVAL