1AUDITD-PLUGINS(5) System Administration Utilities AUDITD-PLUGINS(5)
2
6 auditd-plugins - realtime event receivers
7
9 auditd can multiplex audit events in realtime. It takes audit events
10 and distributes them to child programs that want to analyze events in
11 realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes
12 that signal to its child processes so that can reload the configuration
13 or terminate.
14 The child programs install a configuration file in a plugins directory
16 which defaults to /etc/audit/plugins.d. This can be controlled by a au‐
17 ditd.conf config option plugin_dir if the admin wished to locate plug‐
18 ins somewhere else. But auditd will install its plugins in the default
19 location.
20 The plugin directory will be scanned and every plugin that is active
22 will be started. If the plugin has a problem and exits, it will be
23 started a maximum of max_restarts times as found in auditd.conf.
24 Config file names are not allowed to have more than one '.' in the name
26 or it will be treated as a backup copy and skipped. Config file options
27 are given one per line with an equal sign between the keyword and its
28 value. The available options are as follows:
29 active The options for this are yes or no.
32 direction
34 The option is dictated by the plugin. In or out are the only
35 choices. You cannot make a plugin operate in a way it wasn't de‐
36 signed just by changing this option. This option is to give a
37 clue to the event dispatcher about which direction events flow.
38 NOTE: inbound events are not supported yet.
39 path This is the absolute path to the plugin executable. In the case
41 of internal plugins, it would be the name of the plugin.
42 type This tells the dispatcher how the plugin wants to be run. There
44 is currently only one option, builtin , which is the default
45 setting.
46 args This allows you to pass arguments to the child program. Gener‐
48 ally plugins do not take arguments and have their own config
49 file that instructs them how they should be configured. At the
50 moment, there is a limit of 2 args.
51 format The valid options for this are binary and string. Binary passes
53 the data exactly as the audit event dispatcher gets it from the
54 audit daemon. The string option tells the dispatcher to com‐
55 pletely change the event into a string suitable for parsing with
56 the audit parsing library. The default value is string.
57
60 auditd has an internal queue to hold events for plugins. (See the
61 q_depth setting in auditd.conf.) Plugins have to watch for and dequeue
62 events as fast as possible and queue them internally if they can't be
63 immediately processed. If the plugin is not able to dequeue records,
64 the auditd internal queue will get filled. At any time, as root, you
65 can run the following to check auditd's metrics:
66 auditctl --signal cont ; sleep 1 ; cat /var/run/auditd.state
68 If auditd's internal queue fills, it cannot dequeue any events from the
70 kernel backlog. If the kernel's backlog fills, it looks at the value of
71 backlog_wait_time to delay all processes that generate an event to see
72 if there is eventually room to add the event. This will likely be no‐
73 ticed as slowing down various processes on the machine. The kernel's
74 audit subsystem can be checked by running:
75 auditctl -s
77 When tuning the audit system's performance, you'd want to check both
79 kernel and auditd metrics and adjust accordingly.
80
83 When the audit daemon starts your plugin, you will be running as root.
84 If you do not need root privileges, you should change uid/gid to lower
85 chances of being a target for exploit. If you need to retain capabili‐
86 ties, using libcap-ng is the simplest way.
87 Your environment is not going to be clean. You are inheriting many at‐
89 tributes from auditd itself. You will need to adjust your signal mask,
90 sigaction, umask, and environmental variables. Look at the auditd man
91 page to see which signals auditd used. Plugins are expected to handle
92 SIGTERM and SIGHUP. You will also inherit the resource limits of au‐
93 ditd. Note that some of these resource limits, such as maximum number
94 of open descriptors, are controlled by systemd. You also inherit au‐
95 ditd's nice value. You might want to adjust that to be sure to keep up
96 with incoming audit events.
97 Auditd will send events to the plugin on it's stdin. The plugin has to
99 keep this descriptor empty so that events don't back up. If you do sig‐
100 nificant processing of each event, you should add an internal queue to
101 your design in order to keep events flowing. The auparse_feed function
102 is the preferred way to examine whole events if you need to analyze the
103 contents of the events.
104
107 /etc/auditd/auditd.conf /etc/audit/plugins.d
108
110 auditd.conf(5), auditd(8), execve(2), auparse_feed(3).
111
113 Steve Grubb
114Red Hat Apr 2023 AUDITD-PLUGINS(5)