Skip to content

Instantly share code, notes, and snippets.

@kevsmith
Created July 20, 2018 17:06
Show Gist options
  • Save kevsmith/b25a078fd4bbee42fb7c711adef0a3de to your computer and use it in GitHub Desktop.
Save kevsmith/b25a078fd4bbee42fb7c711adef0a3de to your computer and use it in GitHub Desktop.
#!/bin/bash
# Put all kernel audit messages in a log file we can search with ausearch
cat /var/log/messages | grep -o -E "audit: .*" | sed -e 's/audit: //g' > /tmp/kernel_audit.log
# Grab all failing audit entries
entries=$(cat /tmp/kernel_audit.log | grep "success=no" | grep -E "(datadog-agent|beam)" | \
grep -o -E "audit\([0-9]+\.[0-9]+:[0-9]+\)" | cut -d: -f2 | grep -o -E "[0-9]+")
# Display human-friendly version of each entry
for e in ${entries}
do
ausearch -if /tmp/kernel_audit.log -a ${e}
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment