audisp-af_unix - Man Page

plugin to push audit events to an af_unix socket

Synopsis

audisp-af_unix [ OPTIONS ]

Description

audisp-af_unix is a plugin for the audit event dispatcher that sends audit events to an af_unix socket where other applications can read events. The args line of the af_unix.conf file expects three arguments: access mode, socket path, and output format. The access mode determines the permissions for the socket and defaults to 0640. The socket path specifies where the socket will be created, with the default location being /var/run/audispd_events. The output format determines the format in which events are delivered to the socket and supports two options: "string" and "binary". The "string" format delivers events in a human-readable form, while the "binary" format delivers events in their binary representation, which is essential for applications that need to process events in binary and reconstruct headers accurately. If the output format is not specified, the plugin defaults to the "string" format.

The af_unix.conf file must also include the line format = binary. This setting specifies the input format that the audisp-af_unix plugin expects from the audit event dispatcher. It ensures that the input delivered to the plugin is in binary format, enabling the plugin to reconstruct headers in their proper binary structure.

Files

/etc/audit/plugins/af_unix.conf /etc/audit/auditd.conf

See Also

auditd.conf(8), auditd-plugins(5).

Author

Steve Grubb

Info

Apr 2023 Red Hat System Administration Utilities