1AUDITD-PLUGINS(5)       System Administration Utilities      AUDITD-PLUGINS(5)
2
3
4

NAME

6       auditd-plugins - realtime event receivers
7

DESCRIPTION

9       auditd  can  multiplex  audit events in realtime. It takes audit events
10       and distributes them to child programs that want to analyze  events  in
11       realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes
12       that signal to its child processes so that can reload the configuration
13       or terminate.
14
15       The  child programs install a configuration file in a plugins directory
16       which defaults to /etc/audit/plugins.d. This can be controlled by a au‐
17       ditd.conf  config option plugin_dir if the admin wished to locate plug‐
18       ins somewhere else. But auditd will install its plugins in the  default
19       location.
20
21       The  plugin  directory  will be scanned and every plugin that is active
22       will be started. If the plugin has a problem  and  exits,  it  will  be
23       started a maximum of max_restarts times as found in auditd.conf.
24
25       Config file names are not allowed to have more than one '.' in the name
26       or it will be treated as a backup copy and skipped. Config file options
27       are  given  one per line with an equal sign between the keyword and its
28       value. The available options are as follows:
29
30
31       active The options for this are yes or no.
32
33       direction
34              The option is dictated by the plugin.  In or out  are  the  only
35              choices. You cannot make a plugin operate in a way it wasn't de‐
36              signed just by changing this option. This option is  to  give  a
37              clue  to the event dispatcher about which direction events flow.
38              NOTE: inbound events are not supported yet.
39
40       path   This is the absolute path to the plugin executable. In the  case
41              of internal plugins, it would be the name of the plugin.
42
43       type   This  tells the dispatcher how the plugin wants to be run. There
44              is currently only one option, builtin ,  which  is  the  default
45              setting.
46
47       args   This  allows  you to pass arguments to the child program. Gener‐
48              ally plugins do not take arguments and  have  their  own  config
49              file  that  instructs them how they should be configured. At the
50              moment, there is a limit of 2 args.
51
52       format The valid options for this are binary and string.  Binary passes
53              the  data exactly as the audit event dispatcher gets it from the
54              audit daemon. The string option tells  the  dispatcher  to  com‐
55              pletely change the event into a string suitable for parsing with
56              the audit parsing library. The default value is string.
57
58

NOTE

60       auditd has an internal queue to  hold  events  for  plugins.  (See  the
61       q_depth  setting in auditd.conf.) Plugins have to watch for and dequeue
62       events as fast as possible and queue them internally if they  can't  be
63       immediately  processed.  If  the plugin is not able to dequeue records,
64       the auditd internal queue will get filled. At any time,  as  root,  you
65       can run the following to check auditd's metrics:
66
67       auditctl --signal cont ; sleep 1 ; cat /var/run/auditd.state
68
69       If auditd's internal queue fills, it cannot dequeue any events from the
70       kernel backlog. If the kernel's backlog fills, it looks at the value of
71       backlog_wait_time  to delay all processes that generate an event to see
72       if there is eventually room to add the event. This will likely  be  no‐
73       ticed  as  slowing  down various processes on the machine. The kernel's
74       audit subsystem can be checked by running:
75
76       auditctl -s
77
78       When tuning the audit system's performance, you'd want  to  check  both
79       kernel and auditd metrics and adjust accordingly.
80
81

NOTES FOR DEVELOPERS

83       When  the audit daemon starts your plugin, you will be running as root.
84       If you do not need root privileges, you should change uid/gid to  lower
85       chances  of being a target for exploit. If you need to retain capabili‐
86       ties, using libcap-ng is the simplest way.
87
88       Your environment is not going to be clean. You are inheriting many  at‐
89       tributes  from auditd itself. You will need to adjust your signal mask,
90       sigaction, umask, and environmental variables. Look at the  auditd  man
91       page  to  see which signals auditd used. Plugins are expected to handle
92       SIGTERM and SIGHUP. You will also inherit the resource  limits  of  au‐
93       ditd.  Note  that some of these resource limits, such as maximum number
94       of open descriptors, are controlled by systemd. You  also  inherit  au‐
95       ditd's  nice value. You might want to adjust that to be sure to keep up
96       with incoming audit events.
97
98       Auditd will send events to the plugin on it's stdin. The plugin has  to
99       keep this descriptor empty so that events don't back up. If you do sig‐
100       nificant processing of each event, you should add an internal queue  to
101       your  design in order to keep events flowing. The auparse_feed function
102       is the preferred way to examine whole events if you need to analyze the
103       contents of the events.
104
105

FILES

107       /etc/auditd/auditd.conf /etc/audit/plugins.d
108

SEE ALSO

110       auditd.conf(5), auditd(8), execve(2), auparse_feed(3).
111

AUTHOR

113       Steve Grubb
114
115
116
117Red Hat                            Apr 2023                  AUDITD-PLUGINS(5)