Ping a Specific Port

Question

J'e

Asked: 2023-07-28 05:54:31 +0800 CST2023-07-28 05:54:31 +0800 CST 2023-07-28 05:54:31 +0800 CST

Audit log emails not going to the correct address

772

On Ubuntu 20, I'm trying to send audit logs to [email protected]. I do have a real domain and email server but I'm redacting them here. When I trigger an audit event, the email is instead sent to root on the local machine. So far I've tried the following:

Running echo "Subject: test" | sendmail -f root@my_machine.com [email protected] the test email is sent successfully.
/etc/audit/auditd.conf has been modified to replace action_mail_acct = root with action_mail_acct = [email protected]
After modifying auditd.conf, I restarted it using service auditd restart

I don't see any relevent errors in:

/var/log/mail.err
/var/log/mail.log

::: update :::

With the action_email_acct set to a real account, I then ran sudo ls in a terminal to generate an audit event that I can see in /var/log/audit/audit.log. Should I be seeing the audit event here if it's supposed to be emailed?

1 Answers

Voted

Esa Jokinen · Answer 1 · 2023-08-12T23:48:29+08:00

The action_mail_acct is not for sending audit alerts but for giving notifications about low disk space (below space_left or admin_space_left) when space_left_action or admin_space_left_action is configured to email. From auditd.conf(5):

space_left_action

This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. rotate will rotate logs, losing the oldest to free up space. email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog. exec /path-to-script will execute the script. - -

admin_space_left_action

This parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. rotate will rotate logs, losing the oldest to free up space. email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog. - -

Audit log emails not going to the correct address

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?