From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Timothy R. Chavez" Subject: autail Date: Tue, 24 Oct 2006 18:11:07 -0500 Message-ID: <1161731467.27200.1.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id k9ONBX64003937 for ; Tue, 24 Oct 2006 19:11:33 -0400 Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k9ONBWhY012180 for ; Tue, 24 Oct 2006 19:11:32 -0400 Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com [9.17.195.11]) by e31.co.us.ibm.com (8.13.8/8.12.11) with ESMTP id k9ONBHPe024469 for ; Tue, 24 Oct 2006 19:11:17 -0400 Received: from d03av03.boulder.ibm.com (d03av03.boulder.ibm.com [9.17.195.169]) by westrelay02.boulder.ibm.com (8.13.6/8.13.6/NCO v8.1.1) with ESMTP id k9ONBAF5503800 for ; Tue, 24 Oct 2006 17:11:17 -0600 Received: from d03av03.boulder.ibm.com (loopback [127.0.0.1]) by d03av03.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id k9ONBAnI018761 for ; Tue, 24 Oct 2006 17:11:10 -0600 Received: from wecm-9-67-120-251.wecm.ibm.com (wecm-9-67-120-251.wecm.ibm.com [9.67.120.251]) by d03av03.boulder.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k9ONB9ML018715 for ; Tue, 24 Oct 2006 17:11:09 -0600 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Audit Mailing List List-Id: linux-audit@redhat.com Hello, I thought the following really basic script might be useful to others. The script adds tail functionality to the "human readable" audit log. Particular care was taken to allow for "tail -f" functionality to work reasonably well. It's not perfect, unfortunately, so if you have any improvements feel free to send them my way. The hard part here is that ausearch consults /etc/passwd quite a bit and will wreak havoc on the audit log if /etc/passwd is being audited and ausearch is reading from stdin. There's no really good way to pipe raw audit records into ausearch either, so the below is the best I could get it. There's one side effect that I know of with this solution and that is you may get a "" message. I'll spend some time figuring out how to get rid of it. It'd be really great if you could pipe data directly into ausearch rather than having to use "-if". Enjoy. -tim #!/bin/bash # # autail - tail functionality for the audit log # # Copyright (C) IBM Corporation, 2001 # Authors: Timothy R. Chavez # # The "ausearch" utility accesses /etc/passwd frequently, so to prevent it # from generating its own messages while reading from /dev/stdin, we disable # it by introducing a short-circuit rule into the audit subsystem and run # ausearch such that any record it generates is thrown away. # insert_shortcircuit () { groupadd autail /sbin/auditctl -A entry,never -F gid=autail } remove_shortcircuit () { /sbin/auditctl -d entry,never -F gid=autail groupdel autail } trap "{ remove_shortcircuit; exit 0; }" SIGINT SIGTERM insert_shortcircuit sg autail "/sbin/ausearch -i -if /dev/stdin"& /usr/bin/tail $* /var/log/audit/audit.log remove_shortcircuit exit 0