* autail
@ 2006-10-24 23:11 Timothy R. Chavez
2006-10-24 23:18 ` autail Timothy R. Chavez
0 siblings, 1 reply; 2+ messages in thread
From: Timothy R. Chavez @ 2006-10-24 23:11 UTC (permalink / raw)
To: Audit Mailing List
Hello,
I thought the following really basic script might be useful to others.
The script adds tail functionality to the "human readable" audit log.
Particular care was taken to allow for "tail -f" functionality to work
reasonably well. It's not perfect, unfortunately, so if you have any
improvements feel free to send them my way. The hard part here is that
ausearch consults /etc/passwd quite a bit and will wreak havoc on the
audit log if /etc/passwd is being audited and ausearch is reading from
stdin. There's no really good way to pipe raw audit records into
ausearch either, so the below is the best I could get it. There's one
side effect that I know of with this solution and that is you may get a
"<no matches>" message. I'll spend some time figuring out how to get
rid of it. It'd be really great if you could pipe data directly into
ausearch rather than having to use "-if".
Enjoy.
-tim
#!/bin/bash
#
# autail - tail functionality for the audit log
#
# Copyright (C) IBM Corporation, 2001
# Authors: Timothy R. Chavez <tinytim@us.ibm.com>
#
# The "ausearch" utility accesses /etc/passwd frequently, so to prevent it
# from generating its own messages while reading from /dev/stdin, we disable
# it by introducing a short-circuit rule into the audit subsystem and run
# ausearch such that any record it generates is thrown away.
#
insert_shortcircuit ()
{
groupadd autail
/sbin/auditctl -A entry,never -F gid=autail
}
remove_shortcircuit ()
{
/sbin/auditctl -d entry,never -F gid=autail
groupdel autail
}
trap "{ remove_shortcircuit; exit 0; }" SIGINT SIGTERM
insert_shortcircuit
sg autail "/sbin/ausearch -i -if /dev/stdin"&
/usr/bin/tail $* /var/log/audit/audit.log
remove_shortcircuit
exit 0
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: autail
2006-10-24 23:11 autail Timothy R. Chavez
@ 2006-10-24 23:18 ` Timothy R. Chavez
0 siblings, 0 replies; 2+ messages in thread
From: Timothy R. Chavez @ 2006-10-24 23:18 UTC (permalink / raw)
To: Audit Mailing List
On Tue, 2006-10-24 at 18:11 -0500, Timothy R. Chavez wrote:
<snip>
> #!/bin/bash
> #
> # autail - tail functionality for the audit log
> #
> # Copyright (C) IBM Corporation, 2001
Hah, that's what I get for copy-and-pasting :)
-tim
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-10-24 23:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-24 23:11 autail Timothy R. Chavez
2006-10-24 23:18 ` autail Timothy R. Chavez
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox