How can I make cron to email report audit only if there is something to report?

I setup daily cron job checking if files have changed previous day, since those files are not suppose to changed i'm getting empty report, how can i change it to send email prevent this.

this is my cron job line

1 0 * * * root /sbin/aureport -k -ts yesterday 00:00:00 -te yesterday 23:59:59

and this is an email i'm usually getting

Key Report
===============================================
# date time key success exe auid event
===============================================
<no events of interest were found>

user398140

Posted 2015-01-12T09:11:14.463

Reputation: 13

Answers

Recommend you run a script from Cron to look for whether the audit log file has changed.

so your cron calls your script

01 00 * * * sh /bin/script.sh

this script named "script.sh" similar to the following saved in the location /bin/

Alternative answer

    #!bin/bash
/sbin/aureport -k -ts yesterday 00:00:00 -te yesterday 23:59:59 > /dev/shm/auditcheck.log

    if [ -z "$(grep "no events of interest were found" /dev/shm/auditcheck.log)" ]; then
      /sbin/aureport -k -ts yesterday 00:00:00 -te yesterday 23:59:59
    else
      > /dev/null 2>&1
    fi

this edited / alternative script saves the aureport output then greps the output of to find the no events phrase using -z string to give True if the length of string is zero. so if the phrase "no events of interest were found" is not present, then run your audit report. Otherwise redirect the output of your program to /dev/null. Include both the Standard Error and Standard Out.

Antony

Posted 2015-01-12T09:11:14.463

Reputation: 1 125

yes but /var/log/audit/audit.log file constantly changes with some entries that aren't relevant to that aureport that checks just for particular, i'm wondering if we could run, first capture its output and check if the output contains <no events of intrest were found> string and if so, then print it ? – user398140 – 2015-01-14T09:53:00.127

@user398140 amended answer based on your feedback comment – Antony – 2015-01-14T10:41:24.333

Perhaps a simpler, modified approach, that can still be executed in a single cron line (/etc/cron.d/audit-report):

1 0 * * * root /sbin/aureport -k -ts yesterday 00:00:00 -te yesterday 23:59:59 | /bin/grep -q "^<no events of interest were found>" || /sbin/aureport -k -ts yesterday 00:00:00 -te yesterday

dxdc

Posted 2015-01-12T09:11:14.463

Reputation: 101