Today, I revised my logwatch configuration and I decided to use an external parser for the SELinux audits. Logwatch includes such a parser (/usr/share/logwatch/scripts/services/audit script), but i tend to prefer seaudit-report, part of the setools-gui package in Fedora. Don’t let the package name confuse you, seaudit-report is a CLI tool.
There are two ways that this integration can be achieved:
- completely override the default audit script by placing one with the same name in
/etc/logwatch/scripts/services/ - create a new custom service for
seaudit-report
I decided to follow the second way. The setools source package contains the necessary files for logwatch, but they needed some customization to reflect my setup. I use the auditd service to collect SELinux related messages, which are saved in /var/log/audit/audit.log.
The file that contains information about which log files should logwatch analyze is named seaudit-report-group.conf and needs to be put in the /etc/logwatch/conf/logfiles/ directory. As I mentioned previously, the logged audits are written in /var/log/audit/audit.log, but /var/log/messages still keeps some info about SELinux, eg policy reloads etc. So, the logwatch log-group configuration file should contain the following lines:
LogFile = audit/audit.log Archive = audit/audit.log.*.gz LogFile = messages Archive = messages.*.gz
The logwatch service configuration file, seaudit-report-service.conf, should be put in /etc/logwatch/conf/services/ and should contain the following:
Title = "SELinux Audit" LogFile = seaudit-report-group
The seaudit-report utility, by default, does not accept input from stdin, so a wrapper script must be used in order to launch this utility with the proper options. The setools source package contains such a script, seaudit-report-service, which should be put in the /etc/logwatch/scripts/services/ directory. The following code is the same as the original script, apart from the line that sets seaudit-report‘s location. In some systems this utility is located in /usr/bin/ and in others, like mine, in /usr/sbin/ etc:
#!/bin/sh
SEAUDITREPORT=$(which seaudit-report)
OPTS="--stdin --malformed"
echo "Date Range: $LOGWATCH_DATE_RANGE"
echo "Detail Level: $LOGWATCH_DETAIL_LEVEL"
echo "Temp Dir: $LOGWATCH_TEMP_DIR"
echo "Debug Level: $LOGWATCH_DEBUG"
${SEAUDITREPORT} ${OPTS}
if [ $? -ne 0 ]; then
RC=$?
echo >&2 "Failed while executing seaudit-report.\n"
exit $RC
fi
exit 0
It is also needed to set the executable bit on this script:
# chmod u+x /etc/logwatch/scripts/services/seaudit-report-service
By issuing the following command, the SELinux report should be printed to stdout:
# logwatch --service seaudit-report-service --range all --print
Finally, it is possible to disable logwatch’s default SELinux analysis service (audit) by adding the following line in /etc/logwatch/conf/logwatch.conf:
Service = "-audit"
From now on, the logwatch report should contain, among others, only the report produced by seaudit-report.
How to integrate seaudit-report in logwatch, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.
