autail

["Timothy R. Chavez" <tinytim@us.ibm.com>]

Hello,

I thought the following really basic script might be useful to others.
The script adds tail functionality to the "human readable" audit log.
Particular care was taken to allow for "tail -f" functionality to work
reasonably well.  It's not perfect, unfortunately, so if you have any
improvements feel free to send them my way.  The hard part here is that
ausearch consults /etc/passwd quite a bit and will wreak havoc on the
audit log if /etc/passwd is being audited and ausearch is reading from
stdin.  There's no really good way to pipe raw audit records into
ausearch either, so the below is the best I could get it.  There's one
side effect that I know of with this solution and that is you may get a
"<no matches>" message.  I'll spend some time figuring out how to get
rid of it.  It'd be really great if you could pipe data directly into
ausearch rather than having to use "-if".

Enjoy.

-tim

#!/bin/bash
#
# autail - tail functionality for the audit log
#
# Copyright (C) IBM Corporation, 2001
# Authors: Timothy R. Chavez <tinytim@us.ibm.com>
#
# The "ausearch" utility accesses /etc/passwd frequently, so to prevent it
# from generating its own messages while reading from /dev/stdin, we disable
# it by introducing a short-circuit rule into the audit subsystem and run
# ausearch such that any record it generates is thrown away.
#

insert_shortcircuit ()
{
        groupadd autail
        /sbin/auditctl -A entry,never -F gid=autail
}

remove_shortcircuit ()
{
        /sbin/auditctl -d entry,never -F gid=autail
        groupdel autail
}

trap "{ remove_shortcircuit; exit 0; }" SIGINT SIGTERM

insert_shortcircuit
sg autail "/sbin/ausearch -i -if /dev/stdin"&
/usr/bin/tail $* /var/log/audit/audit.log
remove_shortcircuit

exit 0