This code doesn't work, I want to keep audit alerts on a file and generate en email (only once) whenever an event is generated. I used nohup & becuase I need this code running all the time.
No, it's not a surprise.. but I want to to look for possibles ways to get mail running only when a new event are generated. I've tested several commands but no success.
First, nohup should be to a wrapper script, so every process on the pipe is nohup.
Let's assume that mess only produces output when there is a problem. I folded it, just couldn't help myself, sorry!
A time stamp in the email subject might be good, too! The stuff sometimes stops for a beer before showing up, or causes a panic when misfiled back to the inbox.
while [ 1 ] # or crontab
do
zmsg=$(
/usr/sbin/auditstream |\
/usr/sbin/auditselect -m -e "\
event== USER_Create ||\
event== USER_Remove ||\
event== USER_Change ||\
event== GROUP_Create ||\
event== GROUP_Remove ||\
event== GROUP_Change ||\
event== PASSWORD_Change\
" |\
/usr/sbin/auditpr -h elrtRc -t2 -v
)
if [ "$zmsg" != "" ]
then
echo "$zmsg" | tee -a /var/syslog/auditalerts.log | mail -s "AUDITALERT: Alert on `hostname`" user@domain
fi
sleep 9
done
