audit triggers sent email

audit triggers sent email

[Maria Tsiolakki]

[-- Attachment #1.1: Type: text/plain, Size: 296 bytes --]

Hello,

I have setup the audit log service (on red hat linux 7.3) and I have 
placed rules such as when a user access a specif directory to  log the 
action in the audit log.I want to go a further step, and get an email 
notification when this happens.
Can this be set up?

Thank you

Maria

**


[-- Attachment #1.2: Type: text/html, Size: 22481 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit triggers sent email

[Steve Grubb]

Hello,

On Wednesday, April 12, 2017 9:14:27 AM EDT Maria Tsiolakki wrote:
> I have setup the audit log service (on red hat linux 7.3) and I have
> placed rules such as when a user access a specific directory to log the
> action in the audit log. I want to go a further step, and get an email
> notification when this happens. Can this be set up?

Sort of. You would have to create an audispd plugin to do it. I think that 
this is a nice question to make a blog post out of. So, I started a series of 
blogs today to show people how to write special purpose plugins.

In essence you would put a key on the event you want to get an email on, write 
a plugin that filters for that key, then call sendmail to create the message. 
If you have patience, I will give you the source code in the blog[1] to do 
this over the next couple days. If you are in a hurry and can write your own 
plugin, then skeleton code is here:

https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin

-Steve

[1] - http://security-plus-data-science.blogspot.com/