AUDIT_SYSLOG(7) Standards, Environments, and Macros AUDIT_SYSLOG(7)

NAME


audit_syslog - realtime conversion of audit data to syslog messages

SYNOPSIS


/usr/lib/security/audit_syslog.so


DESCRIPTION


The audit_syslog plugin module for audit,
/usr/lib/security/audit_syslog.so, provides realtime conversion of
audit data to syslog-formatted (text) data and sends it to a syslog
daemon as configured in syslog.conf(5).


Messages to syslog are written if the audit_syslog plugin is
activated and configured using auditconfig(8).


Syslog messages are generated with the facility code of LOG_AUDIT
(audit in syslog.conf(5)) and severity of LOG_NOTICE. Audit syslog
messages contain data selected from the tokens described for the
binary audit log. (See audit.log(5)). As with all syslog messages,
each line in a syslog file consists of two parts, a syslog header and
a message.


The syslog header contains the date and time the message was
generated, the host name from which it was sent, auditd to indicate
that it was generated by the audit daemon, an ID field used
internally by syslogd, and audit.notice indicating the syslog
facility and severity values. The syslog header ends with the
characters ], that is, a closing square bracket and a space.


The message part starts with the event type from the header token.
All subsequent data appears only if contained in the original audit
record and there is room in the 1024-byte maximum length syslog line.
In the following example, the backslash (\) indicates a continuation;
actual syslog messages are contained on one line:

Oct 31 11:38:08 smothers auditd: [ID 917521 audit.notice] chdir(2) ok\
session 401 by joeuser as root:other from myultra obj /export/home


In the preceding example, chdir(2) is the event type. Following this
field is additional data, described below. This data is omitted if it
is not contained in the source audit record.

ok or failed
Comes from the return or exit token.


session <#>
<#> is the session ID from the subject token.


by <name>
<name> is the audit ID from the subject token.


as <name>:<group>
<name> is the effective user ID and <group> is
the effective group ID from the subject token.


in <zone name>
The zone name. This field is generated only if
the zonename audit policy is set.


from <terminal>
<terminal> is the text machine address from the
subject token.


obj <path>
<path> is the path from the path token The path
can be truncated from the left if necessary to
fit it on the line. Truncation is indicated by
leading ellipsis (...).


proc_uid <owner>
<owner> is the effective user ID of the process
owner.


proc_auid <owner>
<owner> is the audit ID of the process owner.


The following are example syslog messages:

Nov 4 8:27:07 smothers auditd: [ID 175219 audit.notice] \
system booted

Nov 4 9:28:17 smothers auditd: [ID 752191 audit.notice] \
login - rlogin ok session 401 by joeuser as joeuser:staff from myultra

Nov 4 10:29:27 smothers auditd: [ID 521917 audit.notice] \
access(2) ok session 255 by janeuser as janeuser:staff from \
129.146.89.30 obj /etc/passwd


OBJECT ATTRIBUTES


The p_flags attribute is used to further filter audit data being sent
to the syslog daemon beyond the default and non-attributable audit
flags. The parameter is a comma-separated list; each item represents
an audit class (see audit_class(5)) and is specified using the same
syntax used by auditconfig for the -setflags and -setnaflags options.
The default (no p_flags set) is that no audit records are generated.

EXAMPLES


Example 1: Enabling the plugin and selecting events




The command below enables the audit_syslog plugin and sets the
p_flags filter to allow class records for lo but allows class records
for am for failures only. Because no other classes are listed, not
other audit records will be sent to syslog. You cannot add classes to
those defined by means of flags and naflags. You can only remove
them.


# autditconf -setplugin audit_syslog active p_flags=lo,-am


Example 2: Viewing the plugin configuration




The command below enables shows the audit_syslog plugin
configuration.


# auditconfig -getplugin audit_syslog
Plugin: audit_syslog (active)
Attributes: p_flags=lo,-am;


ATTRIBUTES


See attributes(7) for a description of the following attributes:


+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|MT Level | MT-Safe |
+--------------------+-----------------+
|Interface Stability | See below. |
+--------------------+-----------------+


The message format and message content are Uncommitted. The
configuration parameters are Committed.

SEE ALSO


audit_class(5), syslog.conf(5), attributes(7), auditconfig(8),
auditd(8)

NOTES


Use of the plugin configuration line to include audit_syslog.so
requires that /etc/syslog.conf is configured to store syslog messages
of facility audit and severity notice or above in a file intended for
audit records. An example of such a line in syslog.conf is:

audit.notice /var/audit/audit.log


Messages from syslog are sent to remote syslog servers by means of
UDP, which does not guarantee delivery or ensure the correct order of
arrival of messages.


If the p_flags attribute results in no classes being preselected, an
error is reported by means of a syslog alert with the LOG_DAEMON
facility code.


The time field in the syslog header is generated by syslog(3C) and
only approximates the time given in the binary audit log. Normally
the time field shows the same whole second or at most a few seconds
difference.

March 6, 2017 AUDIT_SYSLOG(7)
tribblix@gmail.com :: GitHub :: Privacy