# Audit_warn, how?



## ligregni (Aug 4, 2010)

Hi

This time is one kind of hard since there is almost none doc about that.

How do I tune audit_warn to do something when a trail has been closed?

Let's put in in an example, I want audit_warn no write to terminal "Trail closed!" (I know there is no a controlling terminal, the "echo" is an example, I have the application I want to be eexcuted) when a trail has been closed, I mean, where and how to put "echo 'Trail closed!'"?

Thanks!!!


----------



## rwatson@ (Aug 5, 2010)

*Try syslog(1)*

Hi ligregni:

As you've probably seen already, the FreeBSD Handbook section on audit shows how to run scripts on various audit events, including trail close:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit-administration.html

As you observe, the audit_warn runtime environment, which is spawned by auditd, doesn't have a controlling terminal hooked up, which means some tools (such as write(1)), won't work.  The default script we provide actually gives an example of how to submit a message to the system log about trail rotation:

`logger -p security.warning "audit warning: $@"`

Your /etc/syslog.conf probably has a line like this:


```
*.err;kern.warning;auth.notice;mail.crit                /dev/console
```
This means that if you change the "level" of the log message from warning to err, it should get sent to the system console when it occurs.  In our default log configuration, warnings go to various log files, including /var/log/messages, but not the console.

There are other ways you might get a message to a terminal, such as echoing to a terminal device, but this are less robust.  The wall(1) command might also work, I'm not familiar with whether it has the same "must have a controlling terminal" constraint that write(1) does or not.

Hope that helps,

Robert Watson


----------

