autail
Hello,
I thought the following really basic script might be useful to others.
The script adds tail functionality to the "human readable" audit log.
Particular care was taken to allow for "tail -f" functionality to work
reasonably well. It's not perfect, unfortunately, so if you have any
improvements feel free to send them my way. The hard part here is that
ausearch consults /etc/passwd quite a bit and will wreak havoc on the
audit log if /etc/passwd is being audited and ausearch is reading from
stdin. There's no really good way to pipe raw audit records into
ausearch either, so the below is the best I could get it. There's one
side effect that I know of with this solution and that is you may get a
"<no matches>" message. I'll spend some time figuring out how to get
rid of it. It'd be really great if you could pipe data directly into
ausearch rather than having to use "-if".
Enjoy.
-tim
#!/bin/bash
#
# autail - tail functionality for the audit log
#
# Copyright (C) IBM Corporation, 2001
# Authors: Timothy R. Chavez <tinytim(a)us.ibm.com>
#
# The "ausearch" utility accesses /etc/passwd frequently, so to prevent it
# from generating its own messages while reading from /dev/stdin, we disable
# it by introducing a short-circuit rule into the audit subsystem and run
# ausearch such that any record it generates is thrown away.
#
insert_shortcircuit ()
{
groupadd autail
/sbin/auditctl -A entry,never -F gid=autail
}
remove_shortcircuit ()
{
/sbin/auditctl -d entry,never -F gid=autail
groupdel autail
}
trap "{ remove_shortcircuit; exit 0; }" SIGINT SIGTERM
insert_shortcircuit
sg autail "/sbin/ausearch -i -if /dev/stdin"&
/usr/bin/tail $* /var/log/audit/audit.log
remove_shortcircuit
exit 0