#!/bin/bash -efu

LOGDIR=/var/log/integrityd
MESSAGE=/etc/integrity/message
NOTIFY_ALSO=/etc/integrity/also

msg_str="$(cat "$MESSAGE" 2>/dev/null)"
if [ -z "$msg_str" ]; then
    echo "Using the default user message" >&2
    msg_str='You have attempted to run a damaged file: %s (%s)\n'
fi

. inotifier-functions.sh

# @400000005cc2f40c1733bc44 Mar 15 23:30:58 comp-core-i5-4570-490e11.localdomain audit[1442]: INTEGRITY_DATA pid=1442 uid=0 auid=0 ses=1 subj=generic_u:generic_r:generic_t:s0 op="appraise_data" cause="IMA-signature-required" comm="notifier.sh" name="/etc/integrity/real_notify.sh" dev="sda2" ino=420510 res=0

tail -qF "$LOGDIR/current" | \
    while read ts f1 f2 f3 f4 f5 f6 _pid _uid f9 ses subj op cause comm rest; do
        check_timestamp "$ts" || continue
        real_uid="$(id -n -u "${_uid#*=}")" || continue
        printf "$msg_str" "${comm#*=}" "${cause#*=}" | \
            write "$real_uid"

        if [ -s "$NOTIFY_ALSO" ]; then
            grep -v '^#' "$NOTIFY_ALSO" | while read also_uid; do
                if id -n -u "$also_uid" 2>/dev/null; then
                    echo "$f1 $f2 $f3 $f4 $f5 $f6 $_pid $_uid $f9 $ses $subj $op $cause $comm $rest" | write "$also_uid"
                fi
            done
        fi
    done
