LinuxGuruz
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads






  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    audisp-remote.conf

    
    
    

    DESCRIPTION

           audisp-remote.conf  is  the file that controls the configuration of the
           audit remote logging subsystem. The options that are available  are  as
           follows:
    
           remote_server
                  This  is  a  one word character string that is the remote server
                  hostname or address that this daemon will send  log  information
                  to. This can be the numeric address or a resolvable hostname.
    
           port   This  option  is an unsigned integer that indicates what port to
                  connect to on the remote machine.
    
           local_port
                  This option is an unsigned integer  that  indicates  what  local
                  port  to connect from on the local machine.  If unspecified (the
                  default) or set to the word any then any available unpriviledged
                  port  is used. This is a security mechanism to prevent untrusted
                  user space apps from injecting events into the audit daemon. You
                  should set it to an unused port < 1024 to ensure that only priv-
                  ileged  users  can  bind  to  that  port.  Then  also  set   the
                  tcp_client_ports  in  the  aggregating auditd.conf file to match
                  the ports that clients are sending from.
    
           transport
                  This parameter tells the remote logging app how to  send  events
                  to the remote system. The only valid value right now is tcp.  If
                  set to tcp, the remote logging app will just make a normal clear
                  text  connection  to the remote system. This is not used if ker-
                  beros is enabled.
    
           mode   This parameter tells the remote logging app what strategy to use
                  getting  records  to the remote system. Valid values are immedi-
                  ate, and forward .  If set to immediate, the remote logging  app
                  will  attempt  to  send  events  immediately after getting them.
                  forward , which is not implemented yet, means that it will store
                  the  events to disk and then attempt to send the records. If the
                  connection cannot be made, it will queue records  until  it  can
                  connection  to the remote system. The depth of the queue is con-
                  trolled by the queue_depth option.
    
           queue_depth
                  This option is an unsigned  integer  that  determines  how  many
                  records  can be buffered to disk or in memory before considering
                  it to be a failure sending. This parameter affects  the  forward
                  mode of the mode option and internal queueing for temporary net-
                  work outtages. The default depth is 200.
    
           format This parameter tells the remote logging  app  what  data  format
                  will  be  used  for  the  messages  sent  over the network.  The
                  default is managed which adds some overhead to ensure each  mes-
                  cessful  delivery  requires  at  least  one  try.   If  too many
                  attempts are made, the  network_failure_action  action  is  per-
                  formed.  The default is 3.
    
           max_time_per_record
                  The  maximum  amount  of  time,  in seconds, spent attempting to
                  deliver   each   message.    Note    that    both    this    and
                  max_tries_per_record  should be set, as each try may take a long
                  time to time out.  The default value is 5 seconds.  If too  much
                  time  is used on a message, the network_failure_action action is
                  performed.
    
           heartbeat_timeout
                  This parameter determines how often in seconds the client should
                  send a heartbeat event to the remote server. This is used to let
                  both the client and server know that each end is alive  and  has
                  not  terminated in a way that it did not shutdown the connection
                  uncleanly. This value must  be  coordinated  with  the  server's
                  tcp_client_max_idle  setting.  The default value is 0 which dis-
                  ables sending a heartbeat.
    
           network_failure_action
                  This parameter tells the system what  action  to  take  whenever
                  there  is  an  error  detected  when sending audit events to the
                  remote system. Valid values are ignore, syslog,  exec,  suspend,
                  single, halt, and stop.  If set to ignore, the audit daemon does
                  nothing.  Syslog means that it will issue a warning  to  syslog.
                  This  is  the  default.   exec  /path-to-script will execute the
                  script. You cannot pass parameters to the script.  Suspend  will
                  cause  the  remote  logging  app  to stop sending records to the
                  remote system. The logging app will still be alive.  The  single
                  option  will  cause  the  remote logging app to put the computer
                  system in single user mode.  The  stop  option  will  cause  the
                  remote logging app to exit, but leave other plugins running. The
                  halt option will cause the remote logging app  to  shutdown  the
                  computer system.
    
           disk_low_action
                  Likewise, this parameter tells the system what action to take if
                  the remote end signals a disk low  error.   The  default  is  to
                  ignore it.
    
           disk_full_action
                  Likewise, this parameter tells the system what action to take if
                  the remote end signals a disk full error.   The  default  is  to
                  ignore it.
    
           disk_error_action
                  Likewise, this parameter tells the system what action to take if
                  the remote end signals a disk error.  The default is to  log  it
                  to syslog.
    
                  Likewise, this parameter tells the system what action to take if
                  the  remote  end  signals  a  warning  we  don't recognize.  The
                  default is to log it to syslog.
    
           enable_krb5
                  If set to "yes", Kerberos 5 will be used for authentication  and
                  encryption.   Default is "no".  Note that encryption can only be
                  used with managed connections, not plain ASCII.
    
           krb5_principal
                  If specified, This is the expected  principal  for  the  server.
                  The  client and server will use the specified principal to nego-
                  tiate the encryption.  The format for the krb5_principal is like
                  somename/hostname, see the auditd.conf man page for details.  If
                  not specified, the krb5_client_name and remote_server values are
                  used.
    
           krb5_client_name
                  This  specifies  the name portion of the client's own principal.
                  If unspecified, the default is "auditd".  The remainder  of  the
                  principal will consist of the host's fully qualified domain name
                  and the default Kerberos realm, like  this:  auditd/host14.exam-
                  ple.com@EXAMPLE.COM   (assuming   you   gave   "auditd"  as  the
                  krb_client_name).  Note that the client and server must have the
                  same principal name and realm.
    
           krb5_key_file
                  Location  of the key for this client's principal.  Note that the
                  key file must be owned by root and mode 0400.   The  default  is
                  /etc/audisp/audisp-remote.key
    
    
    

    NOTES

           Specifying a local port may make it difficult to restart the audit sub-
           system due to the previous connection being in a  TIME_WAIT  state,  if
           you're reconnecting to and from the same hosts and ports as before.
    
           The  network  failure  logic  works  as  follows:  The first attempt to
           deliver normally "just works".  If it  doesn't,  a  second  attempt  is
           immediately  made,  perhaps  after  reconnecting to the server.  If the
           second attempt also fails, audispd-remote  pauses  for  the  configured
           time and tries again.  It continues to pause and retry until either too
           many attempts have been made or the allowed time  expires.   Note  that
           these  times  govern  the  maximum  amount of time the remote server is
           allowed in order to reboot, if you want to maintain  logging  across  a
           reboot.
    
    
    

    SEE ALSO

           audispd(8), audisp-remote(8), auditd.conf(5).
    
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz