AUDITDISTD.CONF(5) FreeBSD File Formats Manual AUDITDISTD.CONF(5)
NAME
auditdistd.conf - configuration file for the auditdistd(8) daemon.
DESCRIPTION
Note: the configuration file may contain passwords. Care should be taken
to configure proper permissions for this file (e.g., 0600).
Every line starting with # gets treated as a comment and is ignored.
CONFIGURATION FILE SYNTAX
The general syntax of the auditdistd.conf file is as follows:
## Global section.
# Our name.
# The default is the first part of the hostname.
name "<name>"
# Connection timeout.
# The default is 5.
timeout <seconds>
# Path to pidfile.
# The default is "/var/run/auditdistd.pid".
pidfile "<path>"
sender {
## Sender section.
# Source address for connections.
# Optional.
source "<addr>"
# Directory with audit trail files managed by auditdistd.
# The default is /var/audit/dist.
directory "<dir>"
# Configuration for the target system we want to send audit trail
# files to.
host "<name>" {
# Source address for connections.
# Optional.
source "<addr>"
# Address of the auditdistd receiver.
# No default. Obligatory.
remote "<addr>"
# Directory with audit trail files managed by auditdistd.
# The default is /var/audit/dist.
directory "<dir>"
# Fingerprint of the receiver's public key when using TLS
# for connections.
# Example fingerprint:
# SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30:14:D7:F9:AA:8B:3E:73:CD:F5:76:2B
fingerprint "<algorithm=hash>"
# Password used to authenticate in front of the receiver.
password "<password>"
}
# Currently local audit trail files can be sent only to one remote
# auditdistd receiver, but this can change in the future.
}
receiver {
## Receiver section.
# Address to listen on. Multiple listen addresses may be specified.
# The defaults are "tcp4://0.0.0.0:7878" and "tcp6://[::]:7878".
listen "<addr>"
# Base directory.
# If the directory in the host section is not absolute, it will be
# concatenated with this base directory.
# The default is "/var/audit/remote".
directory "<basedir>"
# Path to the receiver's certificate file.
# The default is "/etc/security/auditdistd.cert.pem".
certfile "<path>"
# Path to the receiver's private key file.
# The default is "/etc/security/auditdistd.key.pem".
keyfile "<path>"
# Configuration for a source system we want to receive audit trail
# files from.
host "<name>" {
# Sender address.
# No default. Obligatory.
remote "<addr>"
# Directory where to store audit trail files received
# from system <name>.
# The default is "<basedir>/<name>".
directory "<dir>"
# Password used by the sender to authenticate.
password "<password>"
}
# Multiple hosts to receive from can be configured.
}
Most of the various available configuration parameters are optional. If
a parameter is not defined in the particular section, it will be
inherited from the parent section if possible. For example, if the
source parameter is not defined in the host section, it will be inherited
from the sender section. In case the global section does not define the
source parameter at all, the default value will be used.
CONFIGURATION OPTION DESCRIPTION
The following statements are available:
name <name>
This host's name. It is sent to the receiver, so it can
properly recognize us if there are multiple senders coming from
the same IP address.
timeout <seconds>
Connection timeout in seconds. The default value is 5.
pidfile <path>
File in which to store the process ID of the main auditdistd(8)
process.
The default value is /var/run/auditdistd.pid.
source <addr>
Local address to bind to before connecting to the remote
auditdistd daemon. The format is the same as for the listen
statement.
directory <path>
The directory where to look for audit trail files in case of
sender mode, or the directory where to store received audit
trail files. The provided path has to be an absolute path.
The only exception is when the directory is provided in the
receiver section; then the path provided in the host
subsections can be relative to the directory in the receiver
section. The default value is /var/audit/dist for the entire
sender section, /var/audit/remote for the non-host receiver
section and /var/audit/remote/<name> for the host subsections
in the receiver section where <name> is the host's name.
remote <addr>
Address of the remote auditdistd daemon. The format is the
same as for the listen statement. When operating in sender
mode this address will be used to connect to the receiver.
When operating in receiver mode only connections from this
address will be accepted.
listen <addr>
Address to listen on in form of:
protocol://protocol-specific-address
Each of the following examples defines the same listen address:
0.0.0.0
0.0.0.0:7878
tcp://0.0.0.0
tcp://0.0.0.0:7878
tcp4://0.0.0.0
tcp4://0.0.0.0:7878
Multiple listen addresses can be specified. By default
auditdistd listens on tcp4://0.0.0.0:7878 and tcp6://[::]:7878,
if the kernel supports IPv4 and IPv6 respectively.
keyfile <path>
Path to a file that contains the private key for TLS
communication.
certfile <path>
Path to a file that contains the certificate for TLS
communication.
fingerprint <algo=hash>
Fingerprint of the receiver's public key. Currently only the
SHA256 algorithm is supported. The certificate public key's
fingerprint ready to be pasted into the auditdistd
configuration file can be obtained by running:
# openssl x509 -in /etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 | awk -F '[ =]' '{printf("%s=%s\n", $1, $3)}'
password <password>
Password used to authenticate the sender in front of the
receiver.
FILES
/etc/security/auditdistd.conf The default auditdistd configuration
file.
EXAMPLES
The example configuration files can look as follows.
Web server:
sender {
host backup {
remote 10.0.0.4
}
}
Audit backup server:
receiver {
host webserv {
remote 10.0.0.1
}
host mailserv {
remote 10.0.0.2
}
host dnsserv {
remote 10.0.0.3
}
}
SEE ALSO
audit(4), auditdistd(8)
AUTHORS
The auditdistd daemon was developed by Pawel Jakub Dawidek
<pawel@dawidek.net> under sponsorship of the FreeBSD Foundation.
FreeBSD 13.1-RELEASE-p6 July 1, 2015 FreeBSD 13.1-RELEASE-p6
man2web Home...