audispd Command in Linux



audispd in Linux is an audit event multiplexor that works alongside the audit daemon to handle audit events on your system. This command helps generate audit events and distributes them to various child programs for real-time analysis. Further, it also ensures that audit events are properly routed to the appropriate analysis tools, thus helps to efficiently process and monitor audit data. If the audit daemon receives a SIGTERM or SIGHUP signal, it forwards the signal to audispd, which then relays it to its child processes.

The child programs place their configuration files in the /etc/audisp/plugins.d directory. Its important to note that filenames in this directory should not contain more than one period (.), as files with multiple periods are treated as backup copies and are skipped. Each configuration option is specified on a separate line, with an equal sign (=) separating the keyword from its value. This ensures clear and organized configuration settings.

Table of Contents

Here is a comprehensive guide to the options available with the audispd command in linux −

How to Install audispd Command in Linux?

To install and use audispd, you typically need to install an audit package named audispd-plugins on your Linux system. By default, this package isnt preinstalled on the system, however, with your default Linux package manager you can install it quickly.

On Ubuntu, Debian, and Kali Linux

sudo apt install audispd-plugins

On Fedora and CentOS

sudo dnf install audit

On SUSE

sudo zypper install audit-audispd-plugins

On Arch Linux

sudo pacman -S audit

How to Setup audispd Command in Linux?

Once you complete the installation, you have to setup audispd in Linux, this can be done by starting and enabling the audit daemon.

To start audit daemon in Linux, you can use −

sudo systemctl start auditd
How to Setup audispd in Linux

Once you start the audit daemon, you can enable it to start on boot using −

sudo systemctl enable auditd
Enable it to Start on Boot Using

To check the status of the auditd, you can simply run −

sudo systemctl status auditd
Check The Status of The auditd

This will set up audispd along with the audit daemon, and allow you to start using it for real-time event analysis.

Syntax of audispd Command

The basic syntax to use the audispd in Linux is provided below −

audispd

Where,

  • audispd is used to invoke the command.

audispd Command Options

The following table highlights a few configuration options you can use with the audispd in Linux −

Option Description
active Specifies whether the plugin is active and the options are yes or no.
direction Indicates the direction of events and the options are in or out. Note that inbound events are not supported yet.
path The absolute path to the plugin executable; for internal plugins, it would be the name of the plugin.
type Specifies how the plugin should be run. Options include 'built-in' for internal plugins like af_unix and syslog, and 'always' for most other plugins..
args Allows passing the arguments to the child program. Generally, plugins do not take arguments and have their own configuration files. There is a limit of 2 arguments.
format Determines the data format. Options include 'binary' for raw data and 'string' for human-readable text that can be parsed using the audit parsing library. 'String' is the default format.

How to use audispd Command in Linux?

The audispd uses configuration files to manage its behavior and behavior of its plugins. These files are typically located in /etc/audisp or /etc/audit. You can confirm the directory location on your Linux system by navigating to the /etc folder.

The main configuration file here will be either audispd.conf, audispd-remote.conf, or, auditd.conf. You can configure the file according to your basic understanding.

How to Use audispd in Linux

Heres an example configuration −

q_depth = 80
overflow_action = syslog
priority_boost = 4
max_restarts = 10
name_format = hostname

Where,

  • q_depth = 80 − Sets the internal queue depth to 80, and allows up to 80 audit events to be queued.
  • overflow_action = syslog − Logs overflow events to the system log.
  • priority_boost = 4 − Increases the CPU priority of the dispatcher.
  • max_restarts = 10 − Limits plugin restart attempts to 10.
  • name_format = hostname − Uses the hostname in audit logs.

You can also configure plugins inside the /etc/audisp/plugins.d or /etc/audit/plugins.d directory. Each plugin has its own configuration file. Heres an example −

Each plugin has own Configuration File

Heres an example.conf you can create −

active = yes
direction = out
path = /usr/sbin/example_plugin
type = always
args = arg1 arg2
format = string

Where,

  • active = yes − Activates the plugin.
  • direction = out − Sets the event direction to outbound.
  • path = /usr/sbin/example_plugin − Specifies the path to the plugin executable.
  • type = always − Ensures the plugin always runs.
  • args = arg1 arg2 − Passes two arguments to the plugin.
  • format = string − Sets the data format to string.

Once you are done with the configuration, save your file and restart the auditd to reload the changes you made to the system.

sudo systemctl restart auditd

In this way, you can use audispd on your Linux system.

Conclusion

The audispd is a crucial audit event multiplexor in Linux that works seamlessly with the audit daemon to manage and distribute audit events for real-time analysis.

In this tutorial, we explained in detail the installation, syntax, configuration and effective use of audispd on the Linux system. This comprehensive approach will help you enhance your audit event management and real-time analysis capabilities. Apart from that, it also ensures efficient and organized monitoring of your systems audit data.

Advertisements