When using an email address in /etc/audit/auditd.conf, there is an option verify_email which is defined as,
This option determines if the email address given in action_mail_acct is checked to see if the domain name can be resolved. This option must be given before action_mail_acct or the default value of yes will be used.
When is the actual check performed? For example, when the service is started? When an audit event occures?
On Ubuntu 20, I'm trying to send audit logs to [email protected]. I do have a real domain and email server but I'm redacting them here. When I trigger an audit event, the email is instead sent to root on the local machine. So far I've tried the following:
echo "Subject: test" | sendmail -f root@my_machine.com [email protected] the test email is sent successfully./etc/audit/auditd.conf has been modified to replace action_mail_acct = root with action_mail_acct = [email protected]service auditd restartI don't see any relevent errors in:
::: update :::
With the action_email_acct set to a real account, I then ran sudo ls in a terminal to generate an audit event that I can see in /var/log/audit/audit.log. Should I be seeing the audit event here if it's supposed to be emailed?
