#!/bin/bash

doas tail -fn0 /var/log/audit/audit.log | while read -r line; do

    key=$(echo "$line" | grep -oP '(?<=key=").*?(?=")')
    exe=$(echo "$line" | grep -oP '(?<=exe=").*?(?=")')
    pid=$(echo "$line" | awk -F'ppid=[0-9]+ pid=' '{print $2}' | awk -F' ' '{print $1}')
    username=$(echo "$line" | grep -oP '(?<=EUID=").+?(?=")')

    if [ "$key" = "ssh-key-read" ]
    then
    		SUBJECT="SSH Key accessed!"
		MESSAGE="exec=$exe\nuser=$username\npid=$pid"

		if [ "$exe" = "/usr/bin/scp" ] || [ "$exe" = "/usr/bin/ssh" ]
		then
			notify-send "$SUBJECT" "$MESSAGE"
		else
			notify-send -u critical "$SUBJECT" "$MESSAGE"
		fi
    fi
done