From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: audit triggers sent email Date: Wed, 12 Apr 2017 12:53:15 -0400 Message-ID: <1505438.pk458Es5PI@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Maria Tsiolakki List-Id: linux-audit@redhat.com Hello, On Wednesday, April 12, 2017 9:14:27 AM EDT Maria Tsiolakki wrote: > I have setup the audit log service (on red hat linux 7.3) and I have > placed rules such as when a user access a specific directory to log the > action in the audit log. I want to go a further step, and get an email > notification when this happens. Can this be set up? Sort of. You would have to create an audispd plugin to do it. I think that this is a nice question to make a blog post out of. So, I started a series of blogs today to show people how to write special purpose plugins. In essence you would put a key on the event you want to get an email on, write a plugin that filters for that key, then call sendmail to create the message. If you have patience, I will give you the source code in the blog[1] to do this over the next couple days. If you are in a hurry and can write your own plugin, then skeleton code is here: https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin -Steve [1] - http://security-plus-data-science.blogspot.com/