0

Due to auditing policies ( auditd.log is monitored), I have to send alert messages from my adhoc check scripts to auditd.log. Any idea what is best / standard solution ? I think that echo log >> auditd.log is not good idea.

E.g. I have this check script for checking valid home directories

awk -F: '$3 >= 1000 {print $1, $6 }' /etc/passwd |
while read -r user directory; do
    if [ ! -d "$directory" ]; then
        echo "Found invalid directories $user"
    fi
done |
# If no output, print default message
grep '^' >&2 || echo "No invalid directories" >&2

As I understood auditd.log has some standard format: e.g.

type=SERVICE_START msg=audit(1621698670.030:74): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=kdump comm="systemd" exe="/usr/lib/sys
temd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
andrew
  • 209
  • 2
  • 9

1 Answers1

0

the easiest way to do this is to use logger command. something like this should work logger -p user.warn "whatever log message you want in the log"

Verify the syslog channel/priority is configured for your audit log in /etc/syslog.conf. You may need to add one? Remember to use tabs and not spaces.

t3ln3t
  • 434
  • 2
  • 8
  • Yes, thanks for info, logger is good to pass messages to syslog, however as I understood correctly in below redhat link, with audit rules you can just monitor changes in specified files, but not to create new rules like to log new messages logs. So workaround can be monitor some alert log file, where will go all my output script checks, Correct ? https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-defining_audit_rules_and_controls – andrew Jun 08 '21 at 12:43