#!/bin/sh
#
# Restart Snare, including updating the config file.
#

/usr/sbin/audit shutdown

EVENTS=`cat /etc/security/audit/snare.conf | grep "event=" | sed 's/.*event=//' | sed 's/[\(][^\)]*[\)]//g' | awk '{print $1}'`
IFS=','
NEWEVENTS=`for i in $EVENTS; do
	echo $i
done | /usr/bin/sort | /usr/bin/uniq | /usr/bin/awk '{printf("%s,",$0);} END { print "\n"; }' | sed 's/,$//'`

if [ -z "$NEWEVENTS" ]; then
	echo "No events found in the snare.conf file - I will not update the audit configuration file."
	exit
fi

if [ -f /etc/security/audit/snareconfig.template ]; then
	cat /etc/security/audit/snareconfig.template | sed "s/SNARE_EVENTS_TEMPLATE/$NEWEVENTS/" > /etc/security/audit/config
fi

echo "/etc/security/audit/config file updated"

/usr/sbin/audit start
