Re: audit triggers sent email

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Maria Tsiolakki <tmaria@cs.ucy.ac.cy>
Subject: Re: audit triggers sent email
Date: Wed, 12 Apr 2017 12:53:15 -0400	[thread overview]
Message-ID: <1505438.pk458Es5PI@x2> (raw)
In-Reply-To: <bb0bbd73-b877-7168-1299-d15c77399896@cs.ucy.ac.cy>

Hello,

On Wednesday, April 12, 2017 9:14:27 AM EDT Maria Tsiolakki wrote:
> I have setup the audit log service (on red hat linux 7.3) and I have
> placed rules such as when a user access a specific directory to log the
> action in the audit log. I want to go a further step, and get an email
> notification when this happens. Can this be set up?

Sort of. You would have to create an audispd plugin to do it. I think that 
this is a nice question to make a blog post out of. So, I started a series of 
blogs today to show people how to write special purpose plugins.

In essence you would put a key on the event you want to get an email on, write 
a plugin that filters for that key, then call sendmail to create the message. 
If you have patience, I will give you the source code in the blog[1] to do 
this over the next couple days. If you are in a hurry and can write your own 
plugin, then skeleton code is here:

https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin

-Steve

[1] - http://security-plus-data-science.blogspot.com/

     prev parent reply	other threads:[~2017-04-12 16:53 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-12 13:14 audit triggers sent email Maria Tsiolakki
2017-04-12 16:53 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1505438.pk458Es5PI@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=tmaria@cs.ucy.ac.cy \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.