integ/config-files/syslog-ng-config/files/fm_event_syslogger
slin14 fc4a7c9d49 refactor syslog-ng
Package syslog-ng-config is created to install customized
config file of syslog-ng. Since there is no source code change
in syslog-ng, we could replace the srpm with rpm directly.

syslog-ng-config is set to depends on syslog-ng. So syslog-ng
will be installed automatically.

Test:
Pass build and basic deploy test. Confirmed the related config
file is the same as before.

Story: 2003768
Task: 27599
Depends-On: https://review.openstack.org/616720

Change-Id: I2a4e15b9ffde92aa59072d590de2b56d239e29ad
Signed-off-by: slin14 <shuicheng.lin@intel.com>
2018-11-09 19:35:54 +08:00

79 lines
3.1 KiB
Bash

#!/bin/bash
#
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# Install a new certificate file, pushing it to both controllers
# Also allow a TPM option to install the certificate files using
# an onboard Trusted Platform Module (TPM)
source /etc/platform/platform.conf
processIMAAppraisal()
{
# SAMPLE INCOMING EVENT:
# 20:43:51.000 localhost audispd: info node=localhost.localdomain
# type=INTEGRITY_DATA msg=audit(1507236231.359:4179): pid=4411 uid=0
# auid=1875 ses=18 op="appraise_data" cause="missing-signature"
# comm=sudo name=/usr/lib64/ld-2.17.so dev=sda3 ino=262715 res=0
event_array=($1)
_hostname=${event_array[0]}
_appraisal_msg=${event_array[@]:1}
# parse appraise specific fields from the message
for field in $_appraisal_msg; do
set -- `echo $field | tr '=' ' '`
eval _$1=$2;
done
# sanity check (make sure its an appraisal event
if [ "${_op}" == "appraise_data" ]; then
# Fields explanation:
#
# alarm_id: 500.500
# alarm_state: msg
# entity_type_id: system.service
# entity_instance_id: host=<hostname>.service=<service>
# severity: major
# reason_text: Host <host_name> has IMA Appraisal failure for service <service>,
# reason = <reason_text>
# alarm_type: integrity-violation
# probable_cause: information-modification-detected
# proposed_repair_action:free-format string providing additional details on how to
# clear the alarm. Optional.
# service_affecting: false
# suppression: false
# uuid: unique identifier of an active alarm instance, filled by FM system
# Timestamp: filled by FM system
_absol_path=`which $_comm`
[ $? -eq 0 ] || _absol_path="$_comm"
FM_EVENT_LOG="### ###500.500###msg###system.service###host=$_hostname.service=$_comm### ###major###Host $_hostname has IMA Appraisal failure for service $_absol_path when executing file $_name, reason = $_cause###integrity-violation###information-modification-detected### ### ### ###"
fmClientCli -c "\"$FM_EVENT_LOG\""
fi
}
while read line; do
if [ ! -z "$line" ]; then
# Before we proceed, we need to ensure that
# this node has been configured so that FM Events can
# be logged
if [ ${nodetype} == "controller" ]; then
_configuration_flag_file="/var/run/.controller_config_complete"
elif [ ${nodetype} == "compute" ]; then
_configuration_flag_file="/var/run/.compute_config_complete"
elif [ ${nodetype} == "storage" ]; then
_configuration_flag_file="/var/run/.storage_config_complete"
else
_configuration_flag_file=""
fi
if [ -n "${_configuration_flag_file}" ] && [ -f "${_configuration_flag_file}" ]; then
# Only covers IMA appraisals at the moment, since this destination
# is only set up to IMA appraise logs in syslog-ng.conf, but this
# can be opened up to other FM Event Sysloggers
processIMAAppraisal "$line"
fi
fi
done