I need help with scripting -- Please help
Hi,
I am trying to figure how I can add an alert to the audit.conf file (/etc/audit.audit.conf) to send and e-mail when the threshold is reached.
I am new to Linux and not an expert in writing Linux scripts. Please help.
Below, is the original audit.conf so you can see and help me when the threshold is reached.
Thank you in advance.
Jorge
# kernel interface
device-file = "/dev/audit";
# filter config
filter-config = "/etc/audit/filter.conf";
# Standard output method is bin mode.
#
output {
mode = bin;
num-files = 4;
file-size = 20M;
file-name = "/var/log/audit.d/bin";
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C";
# The following symlink is created whenever we switch to
# a new bin.
current = "/var/log/audit";
sync = yes;
error {
action {
type = suspend;
};
};
};
# Alternatively, write to /var/log/audit in normal
# append mode
# output {
# mode = append;
# file-name = "/var/log/audit";
# sync = yes;
# };
# Alternative output
# output {
# mode = stream;
# command = "/usr/local/sbin/send_to_syslog"
# };
# Disk usage thresholds.
# These thresholds are checked at regular intervals when
# append mode is used.
# (bin mode doesn't require these checks as the bin files
# are preallocated).
threshold disk-space-low {
space-left = 10M;
action {
type = syslog;
facility = security;
priority = warning;
};
action {
type = notify;
command = "/usr/local/bin/page-admin";
};
action {
type = audit;
event = AUDIT_disklow;
};
};
threshold disk-full {
space-left = 20K;
action {
type = syslog;
facility = security;
priority = crit;
};
action {
type = audit;
event = AUDIT_diskfull;
};
};
|