Skip to content
  • Korean: 이 페이지는 아직 한글로 번역되지 않았습니다.

os-auditd.plugin.bash¤

auditd install configurations.

group:prenet | runtype:systemd | deps: - | port: -

Usage 
os-auditd help|install|uninstall|download|disable|configgen|configapply|check|run
$ os-auditd install - install auditd system monitoring
$ os-auditd uninstall - uninstall auditd
$ os-auditd download - download auditd package files to pkg dir
$ os-auditd disable - disable auditd plugin
$ os-auditd configgen - generate auditd configuration files
$ os-auditd configapply - apply auditd configuration files
$ os-auditd check - check auditd plugin status
$ os-auditd run - run auditd service
$ os-auditd help - show this help message
Description

Auditd (Linux Audit Daemon) tracks system calls, file access, user activities, and security events.

Jangbi Configs¤

/opt/jangbi/.config
RUN_OS_AUDITD=1 # enable auditd system monitoring

Check if running¤

bash command
$ systemctl status auditd
● auditd.service - Security Auditing Service
   Active: active (running)
$ aureport --summary
Summary Report
======================
Range of time in logs: 01/01/2024 00:00:00.000 - 07/22/2025 12:00:00.000

Current Configuration¤

Current configuration is stored in /etc/audit/. it is generated by os-auditd configgen command on install. You can edit it manually and not run install or configapply commands to keep current configurations.

/etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED # RAW / ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 2000
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2


# # https://rninche01.tistory.com/entry/Linux-system-call-table-%EC%A0%95%EB%A6%ACx86-x64
# type=SYSCALL msg=audit(1749094648.996:73664): arch=c000003e syscall=41 success=yes exit=188 a0=2 a1=80802 a2=0 a3=0 items=0 ppid=1238 pid=1831 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=444E53205265737E76657220233239 exe="/usr/lib/firefox-esr/firefox-esr" subj=unconfined key="network_socket_created"ARCH=x86_64 SYSCALL=socket AUID="wj" UID="wj" GID="wj" EUID="wj" SUID="wj" FSUID="wj" EGID="wj" SGID="wj" FSGID="wj"
# type=PROCTITLE msg=audit(1749094648.996:73664): proctitle="/usr/lib/firefox-esr/firefox-esr"
# type=SYSCALL msg=audit(1749094648.996:73665): arch=c000003e syscall=42 success=yes exit=0 a0=bc a1=7f8a65d41d8c a2=10 a3=7f8a65d3e8d4 items=0 ppid=1238 pid=1831 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=444E53205265737E76657220233239 exe="/usr/lib/firefox-esr/firefox-esr" subj=unconfined key="network_connect_4"ARCH=x86_64 SYSCALL=connect AUID="wj" UID="wj" GID="wj" EUID="wj" SUID="wj" FSUID="wj" EGID="wj" SGID="wj" FSGID="wj"
# type=SOCKADDR msg=audit(1749094648.996:73665): saddr=02000035C0A84F01E5E5E5E5E5E5E5E5SADDR={ saddr_fam=inet laddr=192.168.79.1 lport=53 }
# type=PROCTITLE msg=audit(1749094648.996:73665): proctitle="/usr/lib/firefox-esr/firefox-esr"
# type=SYSCALL msg=audit(1749094649.032:73666): arch=c000003e syscall=41 success=yes exit=188 a0=2 a1=80002 a2=0 a3=7f8a65d3fdc0 items=0 ppid=1238 pid=1831 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=444E53205265737E76657220233239 exe="/usr/lib/firefox-esr/firefox-esr" subj=unconfined key="network_socket_created"ARCH=x86_64 SYSCALL=socket AUID="wj" UID="wj" GID="wj" EUID="wj" SUID="wj" FSUID="wj" EGID="wj" SGID="wj" FSGID="wj"
# type=PROCTITLE msg=audit(1749094649.032:73666): proctitle="/usr/lib/firefox-esr/firefox-esr"
# type=SYSCALL msg=audit(1749094649.032:73667): arch=c000003e syscall=42 success=yes exit=0 a0=bc a1=7f8a4fc12a30 a2=10 a3=7f8a65d3fdc0 items=0 ppid=1238 pid=1831 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=444E53205265737E76657220233239 exe="/usr/lib/firefox-esr/firefox-esr" subj=unconfined key="network_connect_4"ARCH=x86_64 SYSCALL=connect AUID="wj" UID="wj" GID="wj" EUID="wj" SUID="wj" FSUID="wj" EGID="wj" SGID="wj" FSGID="wj"
# type=SOCKADDR msg=audit(1749094649.032:73667): saddr=02000000681226E90000000000000000SADDR={ saddr_fam=inet laddr=104.18.38.233 lport=0 }
# type=PROCTITLE msg=audit(1749094649.032:73667): proctitle="/usr/lib/firefox-esr/firefox-esr"
# type=SYSCALL msg=audit(1749094649.032:73668): arch=c000003e syscall=42 success=yes exit=0 a0=bc a1=7f8a65d40070 a2=10 a3=7f8a65d3fdc0 items=0 ppid=1238 pid=1831 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=444E53205265737E76657220233239 exe="/usr/lib/firefox-esr/firefox-esr" subj=unconfined key="network_connect_4"ARCH=x86_64 SYSCALL=connect AUID="wj" UID="wj" GID="wj" EUID="wj" SUID="wj" FSUID="wj" EGID="wj" SGID="wj" FSGID="wj"
# type=SOCKADDR msg=audit(1749094649.032:73668): saddr=00000000000000000000000000000000SADDR=unknown-family(0)
# type=PROCTITLE msg=audit(1749094649.032:73668): proctitle="/usr/lib/firefox-esr/firefox-esr"
# type=SYSCALL msg=audit(1749094649.032:73669): arch=c000003e syscall=42 success=yes exit=0 a0=bc a1=7f8a5030d070 a2=10 a3=7f8a65d3fdc0 items=0 ppid=1238 pid=1831 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=444E53205265737E76657220233239 exe="/usr/lib/firefox-esr/firefox-esr" subj=unconfined key="network_connect_4"ARCH=x86_64 SYSCALL=connect AUID="wj" UID="wj" GID="wj" EUID="wj" SUID="wj" FSUID="wj" EGID="wj" SGID="wj" FSGID="wj"
# type=SOCKADDR msg=audit(1749094649.032:73669): saddr=02000000AC4095170000000000000000SADDR={ saddr_fam=inet laddr=172.64.149.23 lport=0 }
# type=PROCTITLE msg=audit(1749094649.032:73669): proctitle="/usr/lib/firefox-esr/firefox-esr"
# type=SYSCALL msg=audit(1749094649.032:73670): arch=c000003e syscall=41 success=yes exit=188 a0=2 a1=1 a2=0 a3=0 items=0 ppid=1238 pid=1831 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=536F636B657420546872656164 exe="/usr/lib/firefox-esr/firefox-esr" subj=unconfined key="network_socket_created"ARCH=x86_64 SYSCALL=socket AUID="wj" UID="wj" GID="wj" EUID="wj" SUID="wj" FSUID="wj" EGID="wj" SGID="wj" FSGID="wj"
# type=PROCTITLE msg=audit(1749094649.032:73670): proctitle="/usr/lib/firefox-esr/firefox-esr"
# type=SYSCALL msg=audit(1749094650.060:73671): arch=c000003e syscall=41 success=yes exit=190 a0=2 a1=1 a2=0 a3=36bebdec9285 items=0 ppid=1238 pid=1831 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=536F636B657420546872656164 exe="/usr/lib/firefox-esr/firefox-esr" subj=unconfined key="network_socket_created"ARCH=x86_64 SYSCALL=socket AUID="wj" UID="wj" GID="wj" EUID="wj" SUID="wj" FSUID="wj" EGID="wj" SGID="wj" FSGID="wj"
# type=PROCTITLE msg=audit(1749094650.060:73671): proctitle="/usr/lib/firefox-esr/firefox-esr"
# type=SYSCALL msg=audit(1749094650.708:73672): arch=c000003e syscall=41 success=yes exit=215 a0=2 a1=1 a2=0 a3=627c24bfe383 items=0 ppid=1238 pid=1831 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty1 ses=1 comm=536F636B657420546872656164 exe="/usr/lib/firefox-esr/firefox-esr" subj=unconfined key="network_socket_created"ARCH=x86_64 SYSCALL=socket AUID="wj" UID="wj" GID="wj" EUID="wj" SUID="wj" FSUID="wj" EGID="wj" SGID="wj" FSGID="wj"