AUDIT_SYSLOG(7) Standards, Environments, and Macros AUDIT_SYSLOG(7)
NAME
audit_syslog - realtime conversion of audit data to syslog messages
SYNOPSIS
/usr/lib/security/audit_syslog.soDESCRIPTION
The
audit_syslog plugin module for audit,
/usr/lib/security/audit_syslog.so, provides realtime conversion of audit
data to syslog-formatted (text) data and sends it to a syslog daemon as
configured in
syslog.conf(5).
Messages to
syslog are written if the
audit_syslog plugin is activated
and configured using
auditconfig(8).
Syslog messages are generated with the facility code of
LOG_AUDIT (
audit in
syslog.conf(5)) and severity of
LOG_NOTICE. Audit
syslog messages
contain data selected from the tokens described for the binary audit log.
(See
audit.log(5)). As with all
syslog messages, each line in a
syslog file consists of two parts, a
syslog header and a message.
The syslog header contains the date and time the message was generated,
the host name from which it was sent,
auditd to indicate that it was
generated by the audit daemon, an ID field used internally by
syslogd,
and
audit.notice indicating the
syslog facility and severity values. The
syslog header ends with the characters
], that is, a closing square
bracket and a space.
The message part starts with the event type from the header token. All
subsequent data appears only if contained in the original audit record
and there is room in the 1024-byte maximum length
syslog line. In the
following example, the backslash (
\) indicates a continuation; actual
syslog messages are contained on one line:
Oct 31 11:38:08 smothers auditd: [ID 917521 audit.notice]
chdir(2) ok\
session 401 by joeuser as root:other from myultra obj /export/home
In the preceding example,
chdir(2) is the event type. Following this
field is additional data, described below. This data is omitted if it is
not contained in the source audit record.
ok or
failed Comes from the return or exit token.
session <#> <#> is the session ID from the subject token.
by <name> <name> is the audit ID from the subject token.
as <name>:
<group> <name> is the effective user ID and
<group> is the
effective group ID from the subject token.
in <zone name> The zone name. This field is generated only if the
zonename audit policy is set.
from <terminal> <terminal> is the text machine address from the
subject token.
obj <path> <path> is the path from the path token The path can
be truncated from the left if necessary to fit it on
the line. Truncation is indicated by leading
ellipsis (
...).
proc_uid <owner> <owner> is the effective user ID of the process
owner.
proc_auid <owner> <owner> is the audit ID of the process owner.
The following are example
syslog messages:
Nov 4 8:27:07 smothers auditd: [ID 175219 audit.notice] \
system booted
Nov 4 9:28:17 smothers auditd: [ID 752191 audit.notice] \
login - rlogin ok session 401 by joeuser as joeuser:staff from myultra
Nov 4 10:29:27 smothers auditd: [ID 521917 audit.notice] \
access(2) ok session 255 by janeuser as janeuser:staff from \
129.146.89.30 obj /etc/passwd
OBJECT ATTRIBUTES
The
p_flags attribute is used to further filter audit data being sent to
the
syslog daemon beyond the default and non-attributable audit flags.
The parameter is a comma-separated list; each item represents an audit
class (see
audit_class(5)) and is specified using the same syntax used by
auditconfig for the
-setflags and
-setnaflags options. The default (no
p_flags set) is that no audit records are generated.
EXAMPLES
Example 1: Enabling the plugin and selecting events
The command below enables the
audit_syslog plugin and sets the
p_flags filter to allow class records for
lo but allows class records for
am for
failures only. Because no other classes are listed, not other audit
records will be sent to syslog. You cannot add classes to those defined
by means of
flags and
naflags. You can only remove them.
# autditconf -setplugin audit_syslog active p_flags=lo,-am
Example 2: Viewing the plugin configuration
The command below enables shows the
audit_syslog plugin configuration.
# auditconfig -getplugin audit_syslog
Plugin: audit_syslog (active)
Attributes: p_flags=lo,-am;
ATTRIBUTES
See
attributes(7) for a description of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|MT Level | MT-Safe |
+--------------------+-----------------+
|Interface Stability | See below. |
+--------------------+-----------------+
The message format and message content are Uncommitted. The configuration
parameters are Committed.
SEE ALSO
audit_class(5),
syslog.conf(5),
attributes(7),
auditconfig(8),
auditd(8)NOTES
Use of the
plugin configuration line to include
audit_syslog.so requires
that
/etc/syslog.conf is configured to store
syslog messages of facility
audit and severity
notice or above in a file intended for audit records.
An example of such a line in
syslog.conf is:
audit.notice /var/audit/audit.log
Messages from
syslog are sent to remote
syslog servers by means of UDP,
which does not guarantee delivery or ensure the correct order of arrival
of messages.
If the
p_flags attribute results in no classes being preselected, an
error is reported by means of a
syslog alert with the
LOG_DAEMON facility
code.
The time field in the
syslog header is generated by
syslog(3C) and only
approximates the time given in the binary audit log. Normally the time
field shows the same whole second or at most a few seconds difference.
March 6, 2017
AUDIT_SYSLOG(7)