#!/usr/local/bin/cbsd
#v13.0.8
MYARG="profile"
MYOPTARG=""
MYDESC="Configure system wide auditd service"
CBSDMODULE="jail"
ADDHELP="
${H3_COLOR}Description${N0_COLOR}:

Setup AUDITD configuration to track file modifications.

! WARNING !
  This script overwrites the old configuration 
  in the directory /etc/security/
! WARNING !

Profiles:

  - read  ()
  - write ( +fc,+fd,+fw,+fm,+no )
  - exec  ( lo,aa,ex,ad )

${H3_COLOR}Options${N0_COLOR}:

 ${N2_COLOR}profile${N0_COLOR}              - profile name: 'exec', 'write', 'read'

${H3_COLOR}Examples${N0_COLOR}:

 # cbsd auditd mode=write

${H3_COLOR}See also${N0_COLOR}:

 cbsd praudit --help


"

. ${subrdir}/nc.subr
. ${system}
. ${cbsdinit}

case "${profile}" in
	exec)
		flags="lo,aa,ex,ad"
		naflags="lo,aa"
		policy="cnt,argv"
		;;
	write)
		flags="+fc,+fd,+fw,+fm,+no"
		naflags="+fc,+fd,+fw,+fm,+no"
		policy="cnt,argv"
		;;
	read)
		flags="+fc,+fd,+fw,+fm,+no"
		naflags="+fc,+fd,+fw,+fm,+no"
		policy="cnt,argv"
		;;
	*)
		err 1 "${N1_COLOR}${CIX_APP} error: unknown profile, valid: exec, write, read: ${N2_COLOR}${profile}${N0_COLOR}"
		;;
esac

${CAT_CMD} > /etc/security/audit_control <<EOF
# Managed by: 'cbsd auditd' scipt
dir:/var/audit
dist:off
flags:${flags}
minfree:5
naflags:${naflags}
policy:${policy}
filesz:8M
expire-after:20M
EOF

${SERVICE_CMD} auditd onerestart || true
${ECHO} "${N1_COLOR}${CIX_APP} hint: to read events, please use: ${N2_COLOR}${CIX_APP} praudit${N0_COLOR}" 2>&1

exit 0
