Build precise queries to find exactly what you need
Press ESC to close
Your review has been submitted and is pending approval.
Nagios plugin for monitoring auditd status and logged events. This plugin uses ausearch, aureport to parse the auditd daemon logs and auditctl for daemon status. Can be invoked as so: ./check_auditd --failedlogins 3,5 --anomalyevents 1,2 --events 280,300 OK - events=53 users=2 terminals=2 hostnames=1 executables=1 processIDs=11 rules=33 pid=621| events=53;280;300; changesinconfiguration=0; changestoaccountsgroupsorroles=0; logins=0; failedlogins=0;3;5; authentications=0; failedauthentications=0; users=2; terminals=2; hostnames=1; executables=1; commands=0; files=0; AVCs=0; MACevents=0; failedsyscalls=0; anomalyevents=0;1;2; responsestoanomalyevents=0; cryptoevents=0; integrityevents=0; virtevents=0; keys=0; processIDs=11; rules=33; pid=621; lost=0; backlog=0;
Current Version
1.0
Last Release Date
June 1, 2021
Owner
Henrik Lindgren
Website
https://github.com/HeLiBloks/check_auditd
Download URL
https://raw.githubusercontent.com/HeLiBloks/check_auditd/main/check_auditd
License
GPL
Compatible With
nagios plugin for monitoring auditd status and logged events
bash-4.2$ ./check_auditd --failedlogins 3,5 --anomalyevents 1,2 --events 280,300
OK - events=53 users=2 terminals=2 hostnames=1 executables=1 processIDs=11 rules=33 pid=621| events=53;280;300; changesinconfiguration=0; changestoaccountsgroupsorroles=0; logins=0; failedlogins=0;3;5; authentications=0; failedauthentications=0; users=2; terminals=2; hostnames=1; executables=1; commands=0; files=0; AVCs=0; MACevents=0; failedsyscalls=0; anomalyevents=0;1;2; responsestoanomalyevents=0; cryptoevents=0; integrityevents=0; virtevents=0; keys=0; processIDs=11; rules=33; pid=621; lost=0; backlog=0;
This plugin uses ausearch, aureport to parse the auditd daemon logs and auditctl for daemon status. nagios service configuration service config if using check_by_ssh
ausearch has a feature that requires it to be started as a coproc over ssh, therefore the ampersand after check_auditd
define service { service_description auditd check_command check_by_ssh!/usr/bin/sudo $USER1$/check_auditd -v -a '--failed' &! check_interval 10 register 1 }
service config if using check_nrpe
define service { service_description auditd check_command check_nrpe!/usr/bin/sudo $USER1$/check_auditd -v -a '--failed'! check_interval 10 register 1 }
sudoers setup
Add following to /etc/sudoers or /etc/sudoers.d/nagios
nagios ALL=(root:ALL) NOPASSWD:/usr/lib64/nagios/plugins/check_auditd
You must be logged in to submit a review.
To:
From: