Created
April 21, 2017 23:16
-
-
Save mpurzynski/152a894de00c2c6f40d56e9d709dc66b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #Sample $STATUS output: | |
| #enabled 1 | |
| #failure 1 | |
| #pid 1604 | |
| #rate_limit 1000 | |
| #backlog_limit 32768 | |
| #lost 11652 | |
| #backlog 0 | |
| #backlog_wait_time 15000 | |
| #loginuid_immutable 0 unlocked | |
| EX=0 | |
| STATUS=($(/sbin/auditctl -s)) | |
| PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" | |
| if [[ ${STATUS[@]:0:2} != 'enabled 1' ]]; then | |
| echo "audit has been disabled." | |
| EX=$(($EX+2)) | |
| fi | |
| if [[ ${STATUS[@]:4:2} == 'pid 0' ]]; then | |
| echo "auditd process died or non-responsive." | |
| EX=$(($EX+3)) | |
| fi | |
| # audisp-json is installed, so we expect it to be running, vs audisp-cef | |
| if [[ ! $(pidof audisp-json) ]]; then | |
| echo "audisp-json process not present, but should be." | |
| EX=$(($EX+5)) | |
| fi | |
| if [[ $EX -eq 0 ]]; then | |
| echo "audit is happy and running" | |
| fi | |
| exit $EX |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment