Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
AUDITDISTD.CONF(5)	      File Formats Manual	    AUDITDISTD.CONF(5)

NAME
       auditdistd.conf -- configuration	file for the auditdistd(8) daemon.

DESCRIPTION
       Note:  the  configuration  file	may contain passwords.	Care should be
       taken to	configure proper permissions for this file (e.g., 0600).

       Every line starting with	# gets treated as a comment and	is ignored.

CONFIGURATION FILE SYNTAX
       The general syntax of the auditdistd.conf file is as follows:

       ## Global section.

       # Our name.
       # The default is	the first part of the hostname.
       name "<name>"

       # Connection timeout.
       # The default is	5.
       timeout <seconds>

       # Path to pidfile.
       # The default is	"/var/run/auditdistd.pid".
       pidfile "<path>"

       sender {
	       ## Sender section.

	       # Source	address	for connections.
	       # Optional.
	       source "<addr>"

	       # Directory with	audit trail files managed by auditdistd.
	       # The default is	/var/audit/dist.
	       directory "<dir>"

	       # Configuration for the target system we	want to	send audit trail
	       # files to.
	       host "<name>" {
		       # Source	address	for connections.
		       # Optional.
		       source "<addr>"

		       # Address of the	auditdistd receiver.
		       # No default. Obligatory.
		       remote "<addr>"

		       # Directory with	audit trail files managed by auditdistd.
		       # The default is	/var/audit/dist.
		       directory "<dir>"

		       # Fingerprint of	the receiver's public key when using TLS
		       # for connections.
		       # Example fingerprint:
		       # SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30:14:D7:F9:AA:8B:3E:73:CD:F5:76:2B
		       fingerprint "<algorithm=hash>"

		       # Password used to authenticate in front	of the receiver.
		       password	"<password>"
	       }

	       # Currently local audit trail files can be sent only to one remote
	       # auditdistd receiver, but this can change in the future.
       }

       receiver	{
	       ## Receiver section.

	       # Address to listen on. Multiple	listen addresses may be	specified.
	       # The defaults are "tcp4://0.0.0.0:7878"	and "tcp6://[::]:7878".
	       listen "<addr>"

	       # Base directory.
	       # If the	directory in the host section is not absolute, it will be
	       # concatenated with this	base directory.
	       # The default is	"/var/audit/remote".
	       directory "<basedir>"

	       # Path to the receiver's	certificate file.
	       # The default is	"/etc/security/auditdistd.cert.pem".
	       certfile	"<path>"

	       # Path to the receiver's	private	key file.
	       # The default is	"/etc/security/auditdistd.key.pem".
	       keyfile "<path>"

	       # Configuration for a source system we want to receive audit trail
	       # files from.
	       host "<name>" {
		       # Sender	address.
		       # No default. Obligatory.
		       remote "<addr>"

		       # Directory where to store audit	trail files received
		       # from system <name>.
		       # The default is	"<basedir>/<name>".
		       directory "<dir>"

		       # Password used by the sender to	authenticate.
		       password	"<password>"
	       }

	       # Multiple hosts	to receive from	can be configured.
       }

       Most of the various available configuration  parameters	are  optional.
       If a parameter is not defined in	the particular section,	it will	be in-
       herited	from  the  parent  section  if	possible.  For example,	if the
       source parameter	is not defined in the host section, it will be	inher-
       ited  from the sender section.  In case the global section does not de-
       fine the	source parameter at all, the default value will	be used.

CONFIGURATION OPTION DESCRIPTION
       The following statements	are available:

       name <name>

	     This host's name.	It is sent to the receiver, so it can properly
	     recognize us if there are multiple	senders	coming from  the  same
	     IP	address.

       timeout <seconds>

	     Connection	timeout	in seconds.  The default value is 5.

       pidfile <path>

	     File  in  which to	store the process ID of	the main auditdistd(8)
	     process.

	     The default value is /var/run/auditdistd.pid.

       source <addr>

	     Local  address  to	 bind  to  before  connecting  to  the	remote
	     auditdistd	 daemon.   The	format	is  the	same as	for the	listen
	     statement.

       directory <path>

	     The directory where to look for audit  trail  files  in  case  of
	     sender mode, or the directory where to store received audit trail
	     files.   The  provided path has to	be an absolute path.  The only
	     exception is when the directory is	provided in the	receiver  sec-
	     tion; then	the path provided in the host subsections can be rela-
	     tive to the directory in the receiver section.  The default value
	     is	   /var/audit/dist    for    the    entire   sender   section,
	     /var/audit/remote	for  the   non-host   receiver	 section   and
	     /var/audit/remote/<name> for the host subsections in the receiver
	     section where <name> is the host's	name.

       remote <addr>

	     Address  of the remote auditdistd daemon.	The format is the same
	     as	for the	listen statement.  When	operating in sender mode  this
	     address  will be used to connect to the receiver.	When operating
	     in	receiver mode only connections from this address will  be  ac-
	     cepted.

       listen <addr>

	     Address to	listen on in form of:

		   protocol://protocol-specific-address

	     Each of the following examples defines the	same listen address:

		   0.0.0.0
		   0.0.0.0:7878
		   tcp://0.0.0.0
		   tcp://0.0.0.0:7878
		   tcp4://0.0.0.0
		   tcp4://0.0.0.0:7878

	     Multiple	listen	 addresses   can  be  specified.   By  default
	     auditdistd	listens	on tcp4://0.0.0.0:7878	and  tcp6://[::]:7878,
	     if	the kernel supports IPv4 and IPv6 respectively.

       keyfile <path>

	     Path  to  a file that contains the	private	key for	TLS communica-
	     tion.

       certfile	<path>

	     Path to a file that contains the certificate for  TLS  communica-
	     tion.

       fingerprint <algo=hash>

	     Fingerprint  of  the  receiver's  public key.  Currently only the
	     SHA256 algorithm is supported.  The certificate public key's fin-
	     gerprint ready to be pasted  into	the  auditdistd	 configuration
	     file can be obtained by running:

	     # openssl x509 -in	/etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 |	awk -F '[ =]' '{printf("%s=%s\n", $1, $3)}'

       password	<password>

	     Password  used  to	 authenticate  the  sender in front of the re-
	     ceiver.

FILES
       /etc/security/auditdistd.conf  The  default  auditdistd	 configuration
				      file.

EXAMPLES
       The example configuration files can look	as follows.

       Web server:

	     sender {
		     host backup {
			     remote 10.0.0.4
		     }
	     }

       Audit backup server:

	     receiver {
		     host webserv {
			     remote 10.0.0.1
		     }
		     host mailserv {
			     remote 10.0.0.2
		     }
		     host dnsserv {
			     remote 10.0.0.3
		     }
	     }

SEE ALSO
       audit(4), auditdistd(8)

AUTHORS
       The   auditdistd	  daemon   was	 developed   by	 Pawel	Jakub  Dawidek
       <pawel@dawidek.net> under sponsorship of	the FreeBSD Foundation.

FreeBSD	15.0			 July 1, 2015		    AUDITDISTD.CONF(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=auditdistd.conf&sektion=5&manpath=FreeBSD+15.0-RELEASE+and+Ports>

home | help