[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]



I thought the following really basic script might be useful to others.
The script adds tail functionality to the "human readable" audit log.
Particular care was taken to allow for "tail -f" functionality to work
reasonably well.  It's not perfect, unfortunately, so if you have any
improvements feel free to send them my way.  The hard part here is that
ausearch consults /etc/passwd quite a bit and will wreak havoc on the
audit log if /etc/passwd is being audited and ausearch is reading from
stdin.  There's no really good way to pipe raw audit records into
ausearch either, so the below is the best I could get it.  There's one
side effect that I know of with this solution and that is you may get a
"<no matches>" message.  I'll spend some time figuring out how to get
rid of it.  It'd be really great if you could pipe data directly into
ausearch rather than having to use "-if".



# autail - tail functionality for the audit log
# Copyright (C) IBM Corporation, 2001
# Authors: Timothy R. Chavez <tinytim us ibm com>
# The "ausearch" utility accesses /etc/passwd frequently, so to prevent it
# from generating its own messages while reading from /dev/stdin, we disable
# it by introducing a short-circuit rule into the audit subsystem and run
# ausearch such that any record it generates is thrown away.

insert_shortcircuit ()
        groupadd autail
        /sbin/auditctl -A entry,never -F gid=autail

remove_shortcircuit ()
        /sbin/auditctl -d entry,never -F gid=autail
        groupdel autail

trap "{ remove_shortcircuit; exit 0; }" SIGINT SIGTERM

sg autail "/sbin/ausearch -i -if /dev/stdin"&
/usr/bin/tail $* /var/log/audit/audit.log

exit 0

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]