path: root/usr/src/man/man5/audit_syslog.5

'\" te
.\" Copyright (c) 2017 Peter Tribble
.\"  Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH AUDIT_SYSLOG 5 "Mar 6, 2017"
.SH NAME
audit_syslog \- realtime conversion of audit data to syslog messages
.SH SYNOPSIS
.LP
.nf
\fB/usr/lib/security/audit_syslog.so\fR
.fi

.SH DESCRIPTION
.LP
The \fBaudit_syslog\fR plugin module for audit,
\fB/usr/lib/security/audit_syslog.so\fR, provides realtime conversion of
audit data to syslog-formatted (text) data and sends it to a syslog
daemon as configured in \fBsyslog.conf\fR(4).
.sp
.LP
Messages to \fBsyslog\fR are written if the \fBaudit_syslog\fR plugin is
activated and configured using \fBauditconfig\fR(1M).
.sp
.LP
Syslog messages are generated with the facility code of
\fBLOG_AUDIT\fR (\fBaudit\fR in \fBsyslog.conf\fR(4)) and severity of
\fBLOG_NOTICE\fR. Audit \fBsyslog\fR messages contain data selected from the
tokens described for the binary audit log. (See \fBaudit.log\fR(4)). As with
all \fBsyslog\fR messages, each line in a \fBsyslog\fR file consists of two
parts, a \fBsyslog\fR header and a message.
.sp
.LP
The syslog header contains the date and time the message was generated, the
host name from which it was sent, \fBauditd\fR to indicate that it was
generated by the audit daemon, an ID field used internally by \fBsyslogd\fR,
and \fBaudit.notice\fR indicating the \fBsyslog\fR facility and severity
values. The \fBsyslog\fR header ends with the characters \fB]\fR, that is, a
closing square bracket and a space.
.sp
.LP
The message part starts with the event type from the header token. All
subsequent data appears only if contained in the original audit record and
there is room in the 1024-byte maximum length \fBsyslog\fR line. In the
following example, the backslash (\fB\e\fR) indicates a continuation; actual
\fBsyslog\fR messages are contained on one line:
.sp
.in +2
.nf
Oct 31 11:38:08 smothers auditd: [ID 917521 audit.notice] chdir(2) ok\e
session 401 by joeuser as root:other from myultra obj /export/home
.fi
.in -2
.sp

.sp
.LP
In the preceding example, \fBchdir(2)\fR is the event type. Following this
field is additional data, described below. This data is omitted if it is not
contained in the source audit record.
.sp
.ne 2
.na
\fB\fBok\fR or \fBfailed\fR\fR
.ad
.RS 21n
Comes from the return or exit token.
.RE

.sp
.ne 2
.na
\fB\fBsession \fI<#>\fR\fR\fR
.ad
.RS 21n
\fI<#>\fR is the session ID from the subject token.
.RE

.sp
.ne 2
.na
\fB\fBby \fI<name>\fR\fR\fR
.ad
.RS 21n
\fI<name>\fR is the audit ID from the subject token.
.RE

.sp
.ne 2
.na
\fB\fBas \fI<name>\fR:\fI<group>\fR\fR\fR
.ad
.RS 21n
\fI<name>\fR is the effective user ID and \fI<group>\fR is the effective group
ID from the subject token.
.RE

.sp
.ne 2
.na
\fB\fBin\fR \fI<zone name>\fR\fR
.ad
.RS 21n
The zone name. This field is generated only if the \fBzonename\fR audit policy
is set.
.RE

.sp
.ne 2
.na
\fB\fBfrom \fI<terminal>\fR\fR\fR
.ad
.RS 21n
\fI<terminal>\fR is the text machine address from the subject token.
.RE

.sp
.ne 2
.na
\fB\fBobj \fI<path>\fR\fR\fR
.ad
.RS 21n
\fI<path>\fR is the path from the path token The path can be truncated from the
left if necessary to fit it on the line. Truncation is indicated by leading
ellipsis (\fB\&...\fR).
.RE

.sp
.ne 2
.na
\fB\fBproc_uid \fI<owner>\fR\fR\fR
.ad
.RS 21n
\fI<owner>\fR is the effective user ID of the process owner.
.RE

.sp
.ne 2
.na
\fB\fBproc_auid \fI<owner>\fR\fR\fR
.ad
.RS 21n
\fI<owner>\fR is the audit ID of the process owner.
.RE

.sp
.LP
The following are example \fBsyslog\fR messages:
.sp
.in +2
.nf
Nov  4  8:27:07 smothers auditd: [ID 175219 audit.notice] \e
system booted

Nov  4  9:28:17 smothers auditd: [ID 752191 audit.notice] \e
login - rlogin ok session 401 by joeuser as joeuser:staff from myultra

Nov  4 10:29:27 smothers auditd: [ID 521917 audit.notice] \e
access(2) ok session 255 by janeuser as janeuser:staff from  \e
129.146.89.30 obj /etc/passwd
.fi
.in -2
.sp

.SH OBJECT ATTRIBUTES
.LP
The \fBp_flags\fR attribute is used to further filter audit data being sent
to the \fBsyslog\fR daemon beyond the default and non-attributable
audit flags. The parameter is a comma-separated list; each
item represents an audit class (see \fBaudit_class\fR(4)) and is specified
using the same syntax used by \fBauditconfig\fR for the \fB-setflags\fR and
\fB-setnaflags\fR options. The default (no \fBp_flags\fR set) is that no
audit records are generated.
.SH EXAMPLES
.LP
\fBExample 1 \fREnabling the plugin and selecting events
.sp
.LP
The command below enables the \fBaudit_syslog\fR plugin and sets the
\fBp_flags\fR filter to allow class records for \fBlo\fR but
allows class records for \fBam\fR for failures only. Because no other
classes are listed, not other audit records will be sent to
syslog. You cannot add classes to those defined by means of
\fBflags\fR and \fBnaflags\fR. You can only remove them.

.sp
.in +2
.nf
# autditconf -setplugin audit_syslog active p_flags=lo,-am
.fi
.in -2
.sp

\fBExample 2 \fRViewing the plugin configuration
.sp
.LP
The command below enables shows the \fBaudit_syslog\fR plugin configuration.

.sp
.in +2
.nf
# auditconfig -getplugin audit_syslog
Plugin: audit_syslog (active)
	Attributes: p_flags=lo,-am;
.fi
.in -2
.sp

.SH ATTRIBUTES
.LP
See \fBattributes\fR(5) for a description of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
MT Level	MT-Safe
_
Interface Stability	See below.
.TE

.sp
.LP
The message format and message content are Uncommitted. The configuration
parameters are Committed.
.SH SEE ALSO
.LP
\fBauditd\fR(1M), \fBauditconfig\fR(1M), \fBaudit_class\fR(4),
\fBsyslog.conf\fR(4), \fBattributes\fR(5)
.SH NOTES
.LP
Use of the \fBplugin\fR configuration line to include \fBaudit_syslog.so\fR
requires that \fB/etc/syslog.conf\fR is configured to store \fBsyslog\fR
messages of facility \fBaudit\fR and severity \fBnotice\fR or above in a file
intended for audit records. An example of such a line in
\fBsyslog.conf\fR is:
.sp
.in +2
.nf
audit.notice                /var/audit/audit.log
.fi
.in -2
.sp

.sp
.LP
Messages from \fBsyslog\fR are sent to remote \fBsyslog\fR servers by means of
UDP, which does not guarantee delivery or ensure the correct order of arrival
of messages.
.sp
.LP
If the \fBp_flags\fR attribute results in no classes
being preselected, an error is reported by means of a \fBsyslog\fR alert with
the \fBLOG_DAEMON\fR facility code.
.sp
.LP
The time field in the \fBsyslog\fR header is generated by \fBsyslog\fR(3C) and
only approximates the time given in the binary audit log. Normally the time
field shows the same whole second or at most a few seconds difference.