How to integrate seaudit-report in logwatch

No Comments

Today, I revised my logwatch configuration and I decided to use an external parser for the SELinux audits. Logwatch includes such a parser (/usr/share/logwatch/scripts/services/audit script), but i tend to prefer seaudit-report, part of the setools-gui package in Fedora. Don’t let the package name confuse you, seaudit-report is a CLI tool.

There are two ways that this integration can be achieved:

  1. completely override the default audit script by placing one with the same name in /etc/logwatch/scripts/services/
  2. create a new custom service for seaudit-report

I decided to follow the second way. The setools source package contains the necessary files for logwatch, but they needed some customization to reflect my setup. I use the auditd service to collect SELinux related messages, which are saved in /var/log/audit/audit.log.

The file that contains information about which log files should logwatch analyze is named seaudit-report-group.conf and needs to be put in the /etc/logwatch/conf/logfiles/ directory. As I mentioned previously, the logged audits are written in /var/log/audit/audit.log, but /var/log/messages still keeps some info about SELinux, eg policy reloads etc. So, the logwatch log-group configuration file should contain the following lines:

LogFile = audit/audit.log
Archive = audit/audit.log.*.gz

LogFile = messages
Archive = messages.*.gz

The logwatch service configuration file, seaudit-report-service.conf, should be put in /etc/logwatch/conf/services/ and should contain the following:

Title = "SELinux Audit"
LogFile = seaudit-report-group

The seaudit-report utility, by default, does not accept input from stdin, so a wrapper script must be used in order to launch this utility with the proper options. The setools source package contains such a script, seaudit-report-service, which should be put in the /etc/logwatch/scripts/services/ directory. The following code is the same as the original script, apart from the line that sets seaudit-report‘s location. In some systems this utility is located in /usr/bin/ and in others, like mine, in /usr/sbin/ etc:

#!/bin/sh

SEAUDITREPORT=$(which seaudit-report)
OPTS="--stdin --malformed"

echo "Date Range: $LOGWATCH_DATE_RANGE"
echo "Detail Level: $LOGWATCH_DETAIL_LEVEL"
echo "Temp Dir: $LOGWATCH_TEMP_DIR"
echo "Debug Level: $LOGWATCH_DEBUG"

${SEAUDITREPORT} ${OPTS}

if [ $? -ne 0 ]; then
    RC=$?
    echo >&2 "Failed while executing seaudit-report.\n"
    exit $RC
fi

exit 0

It is also needed to set the executable bit on this script:

# chmod u+x /etc/logwatch/scripts/services/seaudit-report-service

By issuing the following command, the SELinux report should be printed to stdout:

# logwatch --service seaudit-report-service --range all --print

Finally, it is possible to disable logwatch’s default SELinux analysis service (audit) by adding the following line in /etc/logwatch/conf/logwatch.conf:

Service = "-audit"

From now on, the logwatch report should contain, among others, only the report produced by seaudit-report.

How to integrate seaudit-report in logwatch by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2006 - Some Rights Reserved

George Notaras avatar

About George Notaras

George Notaras is the editor of the G-Loaded Journal, a technical blog about Free and Open-Source Software. George, among other things, is an enthusiast self-taught GNU/Linux system administrator. He has created this web site to share the IT knowledge and experience he has gained over the years with other people. George primarily uses CentOS and Fedora. He has also developed some open-source software projects in his spare time.

Related Articles