Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

auditd

Rating
0 votes
Favoured:
0
Current Version
1.0
Compatible With
  • Nagios 3.x
  • Nagios 4.x
  • Nagios XI
Owner
License
GPL
Hits
349
Files:
FileDescription
check_auditdcheck_auditd
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Nagios plugin for monitoring auditd status and logged events.
This plugin uses ausearch, aureport to parse the auditd daemon logs and auditctl for daemon status.
Can be invoked as so:

./check_auditd --failedlogins 3,5 --anomalyevents 1,2 --events 280,300

OK - events=53 users=2 terminals=2 hostnames=1 executables=1 processIDs=11 rules=33 pid=621|
events=53;280;300; changesinconfiguration=0; changestoaccountsgroupsorroles=0; logins=0; failedlogins=0;3;5; authentications=0; failedauthentications=0; users=2; terminals=2; hostnames=1; executables=1; commands=0; files=0; AVCs=0; MACevents=0; failedsyscalls=0; anomalyevents=0;1;2; responsestoanomalyevents=0; cryptoevents=0; integrityevents=0; virtevents=0; keys=0; processIDs=11; rules=33; pid=621; lost=0; backlog=0;
nagios plugin for monitoring auditd status and logged events

bash-4.2$ ./check_auditd --failedlogins 3,5 --anomalyevents 1,2 --events 280,300

OK - events=53 users=2 terminals=2 hostnames=1 executables=1 processIDs=11 rules=33 pid=621|
events=53;280;300; changesinconfiguration=0; changestoaccountsgroupsorroles=0; logins=0; failedlogins=0;3;5; authentications=0; failedauthentications=0; users=2; terminals=2; hostnames=1; executables=1; commands=0; files=0; AVCs=0; MACevents=0; failedsyscalls=0; anomalyevents=0;1;2; responsestoanomalyevents=0; cryptoevents=0; integrityevents=0; virtevents=0; keys=0; processIDs=11; rules=33; pid=621; lost=0; backlog=0;

This plugin uses ausearch, aureport to parse the auditd daemon logs and auditctl for daemon status.
nagios service configuration
service config if using check_by_ssh

ausearch has a feature that requires it to be started as a coproc over ssh, therefore the ampersand after check_auditd

define service {
service_description auditd
check_command check_by_ssh!/usr/bin/sudo $USER1$/check_auditd -v -a '--failed' &!
check_interval 10
register 1
}

service config if using check_nrpe

define service {
service_description auditd
check_command check_nrpe!/usr/bin/sudo $USER1$/check_auditd -v -a '--failed'!
check_interval 10
register 1
}

sudoers setup

Add following to /etc/sudoers or /etc/sudoers.d/nagios

nagios ALL=(root:ALL) NOPASSWD:/usr/lib64/nagios/plugins/check_auditd