Configure auditd to use audispd's syslog plugin

Docs > Datadog Security > OOTB Rules > Configure auditd to use audispd's syslog plugin

Classification:

compliance

Framework:

Control:

Description

To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audit/plugins.d/syslog.conf to yes. Restart the auditd service:

$ sudo service auditd restart

Rationale

The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

var\_syslog\_active="yes"

AUDISP\_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf

# Test if the config\_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed\_command=('sed' '-i')
if test -L "$AUDISP\_SYSLOGCONFIG"; then
 sed\_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped\_key=$(sed 's/[\^=\$,;+]\*//g' <<< "^active")

# shellcheck disable=SC2059
printf -v formatted\_output "%s = %s" "$stripped\_key" "$var\_syslog\_active"

# If the key exists, change it. Otherwise, add it to the config\_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC\_ALL=C grep -q -m 1 -i -e "^active\\>" "$AUDISP\_SYSLOGCONFIG"; then
 escaped\_formatted\_output=$(sed -e 's|/|\\/|g' <<< "$formatted\_output")
 "${sed\_command[@]}" "s/^active\\>.\*/$escaped\_formatted\_output/gi" "$AUDISP\_SYSLOGCONFIG"
else
 # \n is precaution for case where file ends without trailing newline
 
 printf '%s\n' "$formatted\_output" >> "$AUDISP\_SYSLOGCONFIG"
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
 package\_facts:
 manager: auto
 tags:
 - CJIS-5.4.1.1
 - NIST-800-171-3.3.1
 - NIST-800-53-AU-4(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-10.5.3
 - auditd\_audispd\_syslog\_plugin\_activated
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: enable syslog plugin
 lineinfile:
 dest: /etc/audit/plugins.d/syslog.conf
 regexp: ^active
 line: active = yes
 create: true
 when:
 - '"audit" in ansible\_facts.packages'
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.4.1.1
 - NIST-800-171-3.3.1
 - NIST-800-53-AU-4(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-10.5.3
 - auditd\_audispd\_syslog\_plugin\_activated
 - configure\_strategy
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed