auditd/files/auditd.rules.conf - salt-formulas/auditd - Gitiles

 {%- from "auditd/map.jinja" import rules with context %}
 {%- set filter_fs = rules.get('filter_fs', []) -%}
 {%- set filter_paths = rules.get('filter_paths', []) -%}
 {%- set auid = rules.get('auid', 1000) -%}

 -D
 {%- set bufsize = rules.get('options', {}).get('bufsize', 8192) %}
 -b {{ bufsize }}

 # Rules (might be empty)
 {%- for _, ruleblock in rules.get('rules', {})|dictsort %}
   {%- if ruleblock.get('enabled', false) %}
     {%- set rules = ruleblock.get('rule_list', []) %}
     {%- set rulekey = ruleblock['key'] %}
     {%- if rulekey == 'privileged' -%}
     {# Generate suid/sgid binaries list dynamically.
        This behavior can not be changed but the list can be
        extended via the corresponding pillar.
     #}
       {%- set privileged_list = salt['auditd.find_privileged'](filter_fs=filter_fs,filter_paths=filter_paths) -%}
         {%- for bin in privileged_list -%}
           {%- set rule = '-a always,exit -F path='+ bin +' -F perm=x -F auid>='~ auid ~' -F auid!=4294967295' -%}
             {%- if rule not in rules %}
               {%- do rules.append(rule) %}
             {%- endif %}
         {%- endfor %}
     {%- endif %}
     {% if rules|length > 0 %}
 # "{{ rulekey }}" section
       {%- for rule in rules %}
 {{ rule }} -k {{ rulekey }}
       {%- endfor %}
     {%- endif %}
   {%- endif %}
 {%- endfor %}

 # Enabled
 {%- set enabled = rules.get('options', {}).get('enabled', 0) %}
 -e {{ enabled }}

 {#
 # vim: ft=jinja
 #}
	{%- from "auditd/map.jinja" import rules with context %}
	{%- set filter_fs = rules.get('filter_fs', []) -%}
	{%- set filter_paths = rules.get('filter_paths', []) -%}
	{%- set auid = rules.get('auid', 1000) -%}

	-D
	{%- set bufsize = rules.get('options', {}).get('bufsize', 8192) %}
	-b {{ bufsize }}

	# Rules (might be empty)
	{%- for _, ruleblock in rules.get('rules', {})\|dictsort %}
	{%- if ruleblock.get('enabled', false) %}
	{%- set rules = ruleblock.get('rule_list', []) %}
	{%- set rulekey = ruleblock['key'] %}
	{%- if rulekey == 'privileged' -%}
	{# Generate suid/sgid binaries list dynamically.
	This behavior can not be changed but the list can be
	extended via the corresponding pillar.
	#}
	{%- set privileged_list = salt['auditd.find_privileged'](filter_fs=filter_fs,filter_paths=filter_paths) -%}
	{%- for bin in privileged_list -%}
	{%- set rule = '-a always,exit -F path='+ bin +' -F perm=x -F auid>='~ auid ~' -F auid!=4294967295' -%}
	{%- if rule not in rules %}
	{%- do rules.append(rule) %}
	{%- endif %}
	{%- endfor %}
	{%- endif %}
	{% if rules\|length > 0 %}
	# "{{ rulekey }}" section
	{%- for rule in rules %}
	{{ rule }} -k {{ rulekey }}
	{%- endfor %}
	{%- endif %}
	{%- endif %}
	{%- endfor %}

	# Enabled
	{%- set enabled = rules.get('options', {}).get('enabled', 0) %}
	-e {{ enabled }}

	{#
	# vim: ft=jinja
	#}