audispd Command in Linux
audispd in Linux is an audit event multiplexor that works alongside the audit daemon to handle audit events on your system. This command helps generate audit events and distributes them to various child programs for real-time analysis. Further, it also ensures that audit events are properly routed to the appropriate analysis tools, thus helps to efficiently process and monitor audit data. If the audit daemon receives a SIGTERM or SIGHUP signal, it forwards the signal to audispd, which then relays it to its child processes.
The child programs place their configuration files in the /etc/audisp/plugins.d directory. Its important to note that filenames in this directory should not contain more than one period (.), as files with multiple periods are treated as backup copies and are skipped. Each configuration option is specified on a separate line, with an equal sign (=) separating the keyword from its value. This ensures clear and organized configuration settings.
Table of Contents
Here is a comprehensive guide to the options available with the audispd command in linux −
- How to Install audispd Command in Linux?
- How to Setup audispd Command in Linux?
- Syntax of audispd Command
- audispd Command Options
- How to use audispd Command in Linux?
How to Install audispd Command in Linux?
To install and use audispd, you typically need to install an audit package named audispd-plugins on your Linux system. By default, this package isnt preinstalled on the system, however, with your default Linux package manager you can install it quickly.
On Ubuntu, Debian, and Kali Linux −
sudo apt install audispd-plugins
On Fedora and CentOS −
sudo dnf install audit
On SUSE −
sudo zypper install audit-audispd-plugins
On Arch Linux −
sudo pacman -S audit
How to Setup audispd Command in Linux?
Once you complete the installation, you have to setup audispd in Linux, this can be done by starting and enabling the audit daemon.
To start audit daemon in Linux, you can use −
sudo systemctl start auditd
Once you start the audit daemon, you can enable it to start on boot using −
sudo systemctl enable auditd
To check the status of the auditd, you can simply run −
sudo systemctl status auditd
This will set up audispd along with the audit daemon, and allow you to start using it for real-time event analysis.
Syntax of audispd Command
The basic syntax to use the audispd in Linux is provided below −
audispd
Where,
- audispd is used to invoke the command.
audispd Command Options
The following table highlights a few configuration options you can use with the audispd in Linux −
| Option | Description |
|---|---|
| active | Specifies whether the plugin is active and the options are yes or no. |
| direction | Indicates the direction of events and the options are in or out. Note that inbound events are not supported yet. |
| path | The absolute path to the plugin executable; for internal plugins, it would be the name of the plugin. |
| type | Specifies how the plugin should be run. Options include 'built-in' for internal plugins like af_unix and syslog, and 'always' for most other plugins.. |
| args | Allows passing the arguments to the child program. Generally, plugins do not take arguments and have their own configuration files. There is a limit of 2 arguments. |
| format | Determines the data format. Options include 'binary' for raw data and 'string' for human-readable text that can be parsed using the audit parsing library. 'String' is the default format. |
How to use audispd Command in Linux?
The audispd uses configuration files to manage its behavior and behavior of its plugins. These files are typically located in /etc/audisp or /etc/audit. You can confirm the directory location on your Linux system by navigating to the /etc folder.
The main configuration file here will be either audispd.conf, audispd-remote.conf, or, auditd.conf. You can configure the file according to your basic understanding.
Heres an example configuration −
q_depth = 80 overflow_action = syslog priority_boost = 4 max_restarts = 10 name_format = hostname
Where,
- q_depth = 80 − Sets the internal queue depth to 80, and allows up to 80 audit events to be queued.
- overflow_action = syslog − Logs overflow events to the system log.
- priority_boost = 4 − Increases the CPU priority of the dispatcher.
- max_restarts = 10 − Limits plugin restart attempts to 10.
- name_format = hostname − Uses the hostname in audit logs.
You can also configure plugins inside the /etc/audisp/plugins.d or /etc/audit/plugins.d directory. Each plugin has its own configuration file. Heres an example −
Heres an example.conf you can create −
active = yes direction = out path = /usr/sbin/example_plugin type = always args = arg1 arg2 format = string
Where,
- active = yes − Activates the plugin.
- direction = out − Sets the event direction to outbound.
- path = /usr/sbin/example_plugin − Specifies the path to the plugin executable.
- type = always − Ensures the plugin always runs.
- args = arg1 arg2 − Passes two arguments to the plugin.
- format = string − Sets the data format to string.
Once you are done with the configuration, save your file and restart the auditd to reload the changes you made to the system.
sudo systemctl restart auditd
In this way, you can use audispd on your Linux system.
Conclusion
The audispd is a crucial audit event multiplexor in Linux that works seamlessly with the audit daemon to manage and distribute audit events for real-time analysis.
In this tutorial, we explained in detail the installation, syntax, configuration and effective use of audispd on the Linux system. This comprehensive approach will help you enhance your audit event management and real-time analysis capabilities. Apart from that, it also ensures efficient and organized monitoring of your systems audit data.