From 8c751b984f29d94bb9d8aa5a75bc3bde9810bb4c Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Thu, 27 Apr 2023 13:17:57 -0400 Subject: [PATCH] Add more requirements --- docs/auditd-plugins.5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/auditd-plugins.5 b/docs/auditd-plugins.5 index 2c7ddf4a0..9b39f191f 100644 --- a/docs/auditd-plugins.5 +++ b/docs/auditd-plugins.5 @@ -64,7 +64,7 @@ When tuning the audit system's performance, you'd want to check both kernel and .SH NOTES FOR DEVELOPERS When the audit daemon starts your plugin, you will be running as root. If you do not need root privileges, you should change uid/gid to lower chances of being a target for exploit. If you need to retain capabilities, using \fBlibcap-ng\fP is the simplest way. -Your environment is not going to be clean. You are inheriting many attributes from auditd itself. You will need to adjust your \fBsignal mask\fP, \fBumask\fP, and \fBenvironmental variables\fP. You will also inherit the resource limits of auditd. Note that some of these resource limits, such as maximum number of open descriptors, are controlled by systemd. You also inherit auditd's nice value. You might want to adjust that to be sure to keep up with incoming audit events. +Your environment is not going to be clean. You are inheriting many attributes from auditd itself. You will need to adjust your \fBsignal mask\fP, \fBsigaction\fP, \fBumask\fP, and \fBenvironmental variables\fP. Look at the auditd man page to see which signals auditd used. Plugins are expected to handle \fBSIGTERM\fP and \fBSIGHUP\fP. You will also inherit the resource limits of auditd. Note that some of these resource limits, such as maximum number of open descriptors, are controlled by systemd. You also inherit auditd's nice value. You might want to adjust that to be sure to keep up with incoming audit events. Auditd will send events to the plugin on it's \fBstdin\fP. The plugin has to keep this descriptor empty so that events don't back up. If you do significant processing of each event, you should add an internal queue to your design in order to keep events flowing. The \fBauparse_feed\fP function is the preferred way to examine whole events if you need to analyze the contents of the events.