You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -60,12 +60,21 @@ If auditd's internal queue fills, it cannot dequeue any events from the kernel b
auditctl -s
When tuning the audit system's performance, you'd want to check both kernel and auditd metrics and adjust accordingly.
.SH NOTES FOR DEVELOPERS
When the audit daemon starts your plugin, you will be running as root. If you do not need root privileges, you should change uid/gid to lower chances of being a target for exploit. If you need to retain capabilities, using \fBlibcap-ng\fP is the simplest way.
Your environment is not going to be clean. You are inheriting many attributes from auditd itself. You will need to adjust your \fBsignalmask\fP, \fBumask\fP, and \fBenvironmentalvariables\fP. You will also inherit the resource limits of auditd. Note that some of these resource limits, such as maximum number of open descriptors, are controlled by systemd. You also inherit auditd's nice value. You might want to adjust that to be sure to keep up with incoming audit events.
Auditd will send events to the plugin on it's \fBstdin\fP. The plugin has to keep this descriptor empty so that events don't back up. If you do significant processing of each event, you should add an internal queue to your design in order to keep events flowing. The \fBauparse_feed\fP function is the preferred way to examine whole events if you need to analyze the contents of the events.
