audit/create-augenrules-service.patch

Index: audit-3.1.1/init.d/augenrules.service
===================================================================
--- /dev/null
+++ audit-3.1.1/init.d/augenrules.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=auditd rules generation
+After=auditd.service
+Documentation=man:augenrules(8)
+
+[Service]
+Type=oneshot
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+ExecStart=/sbin/augenrules --load
+# We need RemainAfterExit=true so augenrules is called again
+# in case auditd.service is restarted.
+RemainAfterExit=true
+
+### Security Settings ###
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectHome=true
+RestrictRealtime=true
+# for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ReadWritePaths=/etc/audit
Index: audit-3.1.1/init.d/auditd.service
===================================================================
--- audit-3.1.1.orig/init.d/auditd.service
+++ audit-3.1.1/init.d/auditd.service
@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
 ConditionKernelCommandLine=!audit=off
 
 Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+Requires=augenrules.service
+# This unit clears rules on stop, so make sure that augenrules runs again
+PropagatesStopTo=augenrules.service
 
 [Service]
 Type=forking
 PIDFile=/run/auditd.pid
 ExecStart=/sbin/auditd
-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
-## and comment/delete the next line and uncomment the auditctl line.
-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
-ExecStartPost=-/sbin/augenrules --load
+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
+## uncomment the next line, and comment the Requires=augenrules.service above.
 #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
 # By default we clear the rules on exit. To disable this, comment
 # the next line after copying the file to /etc/systemd/system/auditd.service
@@ -47,7 +48,6 @@ ProtectClock=true
 ProtectKernelTunables=true
 ProtectKernelLogs=true
 # end of automatic additions 
-ReadWritePaths=/etc/audit
 
 [Install]
 WantedBy=multi-user.target
Index: audit-3.1.1/init.d/Makefile.am
===================================================================
--- audit-3.1.1.orig/init.d/Makefile.am
+++ audit-3.1.1/init.d/Makefile.am
@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
 	auditd.cron libaudit.conf auditd.condrestart \
 	auditd.reload auditd.restart auditd.resume \
 	auditd.rotate auditd.state auditd.stop \
-	audit-stop.rules augenrules audit-functions
+	audit-stop.rules augenrules audit-functions \
+	augenrules.service
 libconfig = libaudit.conf
 if ENABLE_SYSTEMD
 initdir = /usr/lib/systemd/system
@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD
 	mkdir -p ${DESTDIR}${legacydir}
 	mkdir -p ${DESTDIR}${libexecdir}
 	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
+	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
@@ -72,6 +74,7 @@ uninstall-hook:
 	rm ${DESTDIR}${sysconfdir}/${libconfig}
 if ENABLE_SYSTEMD
 	rm ${DESTDIR}${initdir}/auditd.service
+	rm ${DESTDIR}${initdir}/augenrules.service
 	rm ${DESTDIR}${legacydir}/rotate
 	rm ${DESTDIR}${legacydir}/resume
 	rm ${DESTDIR}${legacydir}/reload