integ/logging/syslog-ng/centos/files/fm_event_syslogger

#!/bin/bash
#
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#

# Install a new certificate file, pushing it to both controllers
# Also allow a TPM option to install the certificate files using
# an onboard Trusted Platform Module (TPM)

source /etc/platform/platform.conf

processIMAAppraisal()
{
    # SAMPLE INCOMING EVENT:
    # 20:43:51.000 localhost audispd: info node=localhost.localdomain 
    # type=INTEGRITY_DATA msg=audit(1507236231.359:4179): pid=4411 uid=0 
    # auid=1875 ses=18 op="appraise_data" cause="missing-signature" 
    # comm=sudo name=/usr/lib64/ld-2.17.so dev=sda3 ino=262715 res=0
    event_array=($1)
    _hostname=${event_array[0]}
    _appraisal_msg=${event_array[@]:1}
    # parse appraise specific fields from the message
    for field in $_appraisal_msg; do
        set -- `echo $field | tr '=' ' '`
        eval _$1=$2;
    done
    
    # sanity check (make sure its an appraisal event
    if [ "${_op}" == "appraise_data" ]; then
        # Fields explanation:
        #
        # alarm_id: 500.500
        # alarm_state: msg
        # entity_type_id: system.service
        # entity_instance_id: host=<hostname>.service=<service>
        # severity: major
        # reason_text: Host <host_name> has IMA Appraisal failure for service <service>, 
        #              reason = <reason_text>
        # alarm_type: integrity-violation
        # probable_cause: information-modification-detected
        # proposed_repair_action:free-format string providing additional details on how to
        #                        clear the alarm. Optional.
        # service_affecting: false
        # suppression: false
        # uuid: unique identifier of an active alarm instance, filled by FM system
        # Timestamp: filled by FM system
        _absol_path=`which $_comm`
        [ $? -eq 0 ] || _absol_path="$_comm"
FM_EVENT_LOG="### ###500.500###msg###system.service###host=$_hostname.service=$_comm### ###major###Host $_hostname has IMA Appraisal failure for service $_absol_path when executing file $_name, reason = $_cause###integrity-violation###information-modification-detected### ### ### ###"
        fmClientCli -c "\"$FM_EVENT_LOG\""
    fi
}

while read line; do
    if [ ! -z "$line" ]; then 
        # Before we proceed, we need to ensure that
        # this node has been configured so that FM Events can
        # be logged
        if [ ${nodetype} == "controller" ]; then
            _configuration_flag_file="/var/run/.controller_config_complete"
        elif [ ${nodetype} == "compute" ]; then
            _configuration_flag_file="/var/run/.compute_config_complete"
        elif [ ${nodetype} == "storage" ]; then
            _configuration_flag_file="/var/run/.storage_config_complete"
        else
            _configuration_flag_file=""
        fi

        if [ -n "${_configuration_flag_file}" ] && [ -f "${_configuration_flag_file}" ]; then
            # Only covers IMA appraisals at the moment, since this destination
            # is only set up to IMA appraise logs in syslog-ng.conf, but this
            # can be opened up to other FM Event Sysloggers
            processIMAAppraisal "$line"
        fi
    fi
done