Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
AUDITDISTD.CONF(5)	    BSD	File Formats Manual	    AUDITDISTD.CONF(5)

NAME
     auditdistd.conf --	configuration file for the auditdistd(8) daemon.

DESCRIPTION
     Note: the configuration file may contain passwords.  Care should be taken
     to	configure proper permissions for this file (e.g., 0600).

     Every line	starting with #	gets treated as	a comment and is ignored.

CONFIGURATION FILE SYNTAX
     The general syntax	of the auditdistd.conf file is as follows:

     ##	Global section.

     # Our name.
     # The default is the first	part of	the hostname.
     name "<name>"

     # Connection timeout.
     # The default is 5.
     timeout <seconds>

     # Path to pidfile.
     # The default is "/var/run/auditdistd.pid".
     pidfile "<path>"

     sender {
	     ##	Sender section.

	     # Source address for connections.
	     # Optional.
	     source "<addr>"

	     # Directory with audit trail files	managed	by auditdistd.
	     # The default is /var/audit/dist.
	     directory "<dir>"

	     # Configuration for the target system we want to send audit trail
	     # files to.
	     host "<name>" {
		     # Source address for connections.
		     # Optional.
		     source "<addr>"

		     # Address of the auditdistd receiver.
		     # No default. Obligatory.
		     remote "<addr>"

		     # Directory with audit trail files	managed	by auditdistd.
		     # The default is /var/audit/dist.
		     directory "<dir>"

		     # Fingerprint of the receiver's public key	when using TLS
		     # for connections.
		     # Example fingerprint:
		     # SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30:14:D7:F9:AA:8B:3E:73:CD:F5:76:2B
		     fingerprint "<algorithm=hash>"

		     # Password	used to	authenticate in	front of the receiver.
		     password "<password>"
	     }

	     # Currently local audit trail files can be	sent only to one remote
	     # auditdistd receiver, but	this can change	in the future.
     }

     receiver {
	     ##	Receiver section.

	     # Address to listen on. Multiple listen addresses may be specified.
	     # The defaults are	"tcp4://0.0.0.0:7878" and "tcp6://[::]:7878".
	     listen "<addr>"

	     # Base directory.
	     # If the directory	in the host section is not absolute, it	will be
	     # concatenated with this base directory.
	     # The default is "/var/audit/remote".
	     directory "<basedir>"

	     # Path to the receiver's certificate file.
	     # The default is "/etc/security/auditdistd.cert.pem".
	     certfile "<path>"

	     # Path to the receiver's private key file.
	     # The default is "/etc/security/auditdistd.key.pem".
	     keyfile "<path>"

	     # Configuration for a source system we want to receive audit trail
	     # files from.
	     host "<name>" {
		     # Sender address.
		     # No default. Obligatory.
		     remote "<addr>"

		     # Directory where to store	audit trail files received
		     # from system <name>.
		     # The default is "<basedir>/<name>".
		     directory "<dir>"

		     # Password	used by	the sender to authenticate.
		     password "<password>"
	     }

	     # Multiple	hosts to receive from can be configured.
     }

     Most of the various available configuration parameters are	optional.  If
     a parameter is not	defined	in the particular section, it will be inher-
     ited from the parent section if possible.	For example, if	the source pa-
     rameter is	not defined in the host	section, it will be inherited from the
     sender section.  In case the global section does not define the source
     parameter at all, the default value will be used.

CONFIGURATION OPTION DESCRIPTION
     The following statements are available:

     name <name>

	   This	host's name.  It is sent to the	receiver, so it	can properly
	   recognize us	if there are multiple senders coming from the same IP
	   address.

     timeout <seconds>

	   Connection timeout in seconds.  The default value is	5.

     pidfile <path>

	   File	in which to store the process ID of the	main auditdistd(8)
	   process.

	   The default value is	/var/run/auditdistd.pid.

     source <addr>

	   Local address to bind to before connecting to the remote auditdistd
	   daemon.  The	format is the same as for the listen statement.

     directory <path>

	   The directory where to look for audit trail files in	case of	sender
	   mode, or the	directory where	to store received audit	trail files.
	   The provided	path has to be an absolute path.  The only exception
	   is when the directory is provided in	the receiver section; then the
	   path	provided in the	host subsections can be	relative to the	direc-
	   tory	in the receiver	section.  The default value is /var/audit/dist
	   for the entire sender section, /var/audit/remote for	the non-host
	   receiver section and	/var/audit/remote/_name_ for the host subsec-
	   tions in the	receiver section where <name> is the host's name.

     remote <addr>

	   Address of the remote auditdistd daemon.  The format	is the same as
	   for the listen statement.  When operating in	sender mode this ad-
	   dress will be used to connect to the	receiver.  When	operating in
	   receiver mode only connections from this address will be accepted.

     listen <addr>

	   Address to listen on	in form	of:

		 protocol://protocol-specific-address

	   Each	of the following examples defines the same listen address:

		 0.0.0.0
		 0.0.0.0:7878
		 tcp://0.0.0.0
		 tcp://0.0.0.0:7878
		 tcp4://0.0.0.0
		 tcp4://0.0.0.0:7878

	   Multiple listen addresses can be specified.	By default auditdistd
	   listens on tcp4://0.0.0.0:7878 and tcp6://[::]:7878,	if the kernel
	   supports IPv4 and IPv6 respectively.

     keyfile <path>

	   Path	to a file that contains	the private key	for TLS	communication.

     certfile <path>

	   Path	to a file that contains	the certificate	for TLS	communication.

     fingerprint <algo=hash>

	   Fingerprint of the receiver's public	key.  Currently	only the
	   SHA256 algorithm is supported.  The certificate public key's	fin-
	   gerprint ready to be	pasted into the	auditdistd configuration file
	   can be obtained by running:

	   # openssl x509 -in /etc/security/auditdistd.cert.pem	-noout -fingerprint -sha256 | awk -F '[	=]' '{printf("%s=%s\n",	$1, $3)}'

     password <password>

	   Password used to authenticate the sender in front of	the receiver.

FILES
     /etc/security/auditdistd.conf  The	default	auditdistd configuration file.

EXAMPLES
     The example configuration files can look as follows.

     Web server:

	   sender {
		   host	backup {
			   remote 10.0.0.4
		   }
	   }

     Audit backup server:

	   receiver {
		   host	webserv	{
			   remote 10.0.0.1
		   }
		   host	mailserv {
			   remote 10.0.0.2
		   }
		   host	dnsserv	{
			   remote 10.0.0.3
		   }
	   }

SEE ALSO
     audit(4), auditdistd(8)

AUTHORS
     The auditdistd daemon was developed by Pawel Jakub	Dawidek
     <pawel@dawidek.net> under sponsorship of the FreeBSD Foundation.

BSD				 July 1, 2015				   BSD

NAME | DESCRIPTION | CONFIGURATION FILE SYNTAX | CONFIGURATION OPTION DESCRIPTION | FILES | EXAMPLES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=auditdistd.conf&sektion=5&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help