LinuxGuruz
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads






  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    auditd.conf

    
    
    

    DESCRIPTION

           The file /etc/audit/auditd.conf contains configuration information spe-
           cific to the audit daemon.  It should contain one configuration keyword
           per line, an equal sign, and then followed by appropriate configuration
           information.  The  keywords  recognized  are:   log_file,   log_format,
           log_group,  priority_boost,  flush,  freq,  num_logs  , disp_qos , dis-
           patcher,  name_format  ,   name,   max_log_file,   max_log_file_action,
           space_left,   action_mail_acct,   space_left_action,  admin_space_left,
           admin_space_left_action, disk_full_action, disk_error_action,  tcp_lis-
           ten_port,      tcp_listen_queue,     tcp_max_per_addr,     use_libwrap,
           tcp_client_ports, tcp_client_max_idle, enable_krb5, krb5_principal, and
           krb5_key_file.  These keywords are described below.
    
           log_file
                  This  keyword specifies the full path name to the log file where
                  audit records will be stored. It must be a regular file.
    
           log_format
                  The log format describes how the information should be stored on
                  disk.  There  are  2 options: raw and nolog.  If set to RAW, the
                  audit records will be stored in a format exactly as  the  kernel
                  sends it. If this option is set to NOLOG then all audit informa-
                  tion is discarded instead of writing to disk. This mode does not
                  affect data sent to the audit event dispatcher.
    
           log_group
                  This  keyword  specifies  the  group  that is applied to the log
                  file's permissions. The default is root. The group name  can  be
                  either numeric or spelled out.
    
           priority_boost
                  This  is  a  non-negative number that tells the audit daemon how
                  much of a priority boost it should take. The default  is  4.  No
                  change is 0.
    
           flush  Valid  values are none, incremental, data,  and sync.  If set to
                  none, no special effort is made to flush the  audit  records  to
                  disk.  If set to incremental, Then the freq parameter is used to
                  determine how often an explicit flush to disk  is  issued.   The
                  data parameter tells the audit damon to keep the data portion of
                  the disk file sync'd at all times. The  sync  option  tells  the
                  audit  daemon  to  keep both the data and meta-data fully sync'd
                  with every write to disk.
    
           freq   This is a non-negative number that tells  the  audit  damon  how
                  many  records  to write before issuing an explicit flush to disk
                  command. this value is only valid when the flush keyword is  set
                  to incremental.
    
           num_logs
                  This keyword specifies the number of log files to keep if rotate
                  log_format  is not nolog.) Otherwise the auditd daemon will wait
                  for the queue to have an empty spot before logging to disk.  The
                  risk  is  that  while  the  daemon is waiting for network IO, an
                  event is not being recorded to disk. Valid values are: lossy and
                  lossless. Lossy is the default value.
    
           dispatcher
                  The  dispatcher is a program that is started by the audit daemon
                  when it starts up. It will pass a copy of all  audit  events  to
                  that  application's  stdin.  Make sure you trust the application
                  that you add to this line since it runs with root privileges.
    
           name_format
                  This option controls how computer node names are  inserted  into
                  the  audit  event  stream.  It  has the following choices: none,
                  hostname, fqd, numeric, and user.  None means that  no  computer
                  name  is  inserted  into  the audit event.  hostname is the name
                  returned by the gethostname syscall. The fqd means that it takes
                  the  hostname  and  resolves  it  with dns for a fully qualified
                  domain name of that machine.  Numeric is similar to  fqd  except
                  it  resolves  the  IP  address of the machine.  User is an admin
                  defined string from the name option. The default value is  none.
    
           name   This  is the admin defined string that identifies the machine if
                  user is given as the name_format option.
    
           max_log_file
                  This keyword specifies the maximum file size in megabytes.  When
                  this  limit  is  reached, it will trigger a configurable action.
                  The value given must be numeric.
    
           max_log_file_action
                  This parameter tells the system what action  to  take  when  the
                  system  has  detected  that  the  max  file  size limit has been
                  reached. Valid values are ignore, syslog,  suspend,  rotate  and
                  keep_logs.   If  set  to  ignore, the audit daemon does nothing.
                  syslog means that it will issue a warning  to  syslog.   suspend
                  will cause the audit daemon to stop writing records to the disk.
                  The daemon will still be alive. The rotate option will cause the
                  audit  daemon  to  rotate the logs. It should be noted that logs
                  with higher numbers are older than logs with lower numbers. This
                  is  the  same  convention  used  by  the  logrotate utility. The
                  keep_logs option is similar to rotate except it does not use the
                  num_logs  setting. This prevents audit logs from being overwrit-
                  ten.
    
           action_mail_acct
                  This option should contain a valid email address or  alias.  The
                  default  address  is  root. If the email address is not local to
                  the machine, you must make sure you have email properly  config-
                  ured  on  your  machine  and network. Also, this option requires
                  that /usr/lib/sendmail exists on the machine.
                  syslog.   exec /path-to-script will execute the script. You can-
                  not pass parameters to the script.  suspend will cause the audit
                  daemon  to  stop  writing  records  to the disk. The daemon will
                  still be alive. The single option will cause the audit daemon to
                  put  the  computer system in single user mode.  halt option will
                  cause the audit daemon to shutdown the computer system.
    
           admin_space_left
                  This is a numeric value in megabytes that tells the audit daemon
                  when to perform a configurable action because the system is run-
                  ning low on disk space.  This  should  be  considered  the  last
                  chance  to  do  something  before running out of disk space. The
                  numeric value for this parameter should be lower than the number
                  for space_left.
    
           admin_space_left_action
                  This  parameter  tells  the  system what action to take when the
                  system has detected that it is low on disk space.  Valid  values
                  are  ignore, syslog, email, exec, suspend, single, and halt.  If
                  set to ignore, the audit daemon does nothing.  Syslog means that
                  it  will  issue  a  warning to syslog.  Email means that it will
                  send   a   warning   to   the   email   account   specified   in
                  action_mail_acct as well as sending the message to syslog.  exec
                  /path-to-script will execute the script. You cannot pass parame-
                  ters to the script.  Suspend will cause the audit daemon to stop
                  writing records to the disk. The daemon will still be alive. The
                  single  option  will  cause the audit daemon to put the computer
                  system in single user mode.  halt
    
           disk_full_action
                  This parameter tells the system what action  to  take  when  the
                  system  has  detected  that the partition to which log files are
                  written has become full. Valid values are ignore, syslog,  exec,
                  suspend,  single,  and halt.  If set to ignore, the audit daemon
                  does nothing.  Syslog means that it will issue a warning to sys-
                  log.   exec  /path-to-script will execute the script. You cannot
                  pass parameters to the script.  Suspend  will  cause  the  audit
                  daemon  to  stop  writing  records  to the disk. The daemon will
                  still be alive. The single option will cause the audit daemon to
                  put  the  computer system in single user mode.  halt option will
                  cause the audit daemon to shutdown the computer system.
    
           disk_error_action
                  This parameter tells the system what  action  to  take  whenever
                  there  is an error detected when writing audit events to disk or
                  rotating logs. Valid values are ignore, syslog,  exec,  suspend,
                  single, and halt.  If set to ignore, the audit daemon does noth-
                  ing.  Syslog means that it will issue a warning to syslog.  exec
                  /path-to-script will execute the script. You cannot pass parame-
                  ters to the script.  Suspend will cause the audit daemon to stop
                  writing records to the disk. The daemon will still be alive. The
                  single option will cause the audit daemon to  put  the  computer
                  rejected  if  too  many hosts start up at exactly the same time,
                  such as after a power failure.
    
           tcp_max_per_addr
                  This is a numeric value which indicates how many concurrent con-
                  nections  from  one IP address is allowed.  The default is 1 and
                  the maximum is 16. Setting this too large may allow for a Denial
                  of  Service  attack on the logging server. The default should be
                  adequate in most cases unless a custom written  recovery  script
                  runs  to  forward unsent events. In this case you would increase
                  the number only large enough to let it in too.
    
           use_libwrap
                  This setting determines whether or not to  use  tcp_wrappers  to
                  discern  connection  attempts  that  are  from allowed machines.
                  Legal values are either yes, or no The default value is yes.
    
           tcp_client_ports
                  This parameter may be a single numeric value or two values sepa-
                  rated  by a dash (no spaces allowed).  It indicates which client
                  ports are allowed for incoming connections.  If  not  specified,
                  any port is allowed.  Allowed values are 1..65535.  For example,
                  to require the client use a priviledged port, specify 1-1023 for
                  this  parameter. You will also need to set the local_port option
                  in the audisp-remote.conf file. Making sure  that  clients  send
                  from  a  privileged  port  is  a security feature to prevent log
                  injection attacks by untrusted users.
    
           tcp_client_max_idle
                  This parameter indicates the number of seconds that a client may
                  be idle (i.e. no data from them at all) before auditd complains.
                  This is used to close inactive connections if the client machine
                  has  a  problem where it cannot shutdown the connection cleanly.
                  Note that this is a global setting, and must be higher than  any
                  individual  client  heartbeat_timeout  setting,  preferably by a
                  factor of two.  The default is zero, which disables this  check.
    
           enable_krb5
                  If  set to "yes", Kerberos 5 will be used for authentication and
                  encryption.  The default is "no".
    
           krb5_principal
                  This is the principal for this server.  The default is "auditd".
                  Given  this  default,  the server will look for a key named like
                  auditd/hostname@EXAMPLE.COM stored  in  /etc/audit/audit.key  to
                  authenticate  itself,  where  hostname is the canonical name for
                  the server's host, as  returned  by  a  DNS  lookup  of  its  IP
                  address.
    
           krb5_key_file
                  Location  of the key for this client's principal.  Note that the
                  key file must be owned by root and mode 0400.   The  default  is
    
           to be rotated, the longer it takes  to  get  back  to  receiving  audit
           events. Max_log_file_action should be set to keep_logs.
    
           Space_left  should  be set to a number that gives the admin enough time
           to react to any alert message and perform some maintenance to  free  up
           disk space. This would typically involve running the aureport -t report
           and moving the oldest logs to an archive area. The value of  space_left
           is  site  dependent since the rate at which events are generated varies
           with each deployment. The space_left_action is recommended to be set to
           email.  If  you  need something like an snmp trap, you can use the exec
           option to send one.
    
           Admin_space_left should be set to the amount of disk space on the audit
           partition    needed    for    admin    actions    to    be    recorded.
           Admin_space_left_action would be set to  single  so  that  use  of  the
           machine is restricted to just the console.
    
           The  disk_full_action is triggered when no more room exists on the par-
           tition. All access should be terminated since no more audit  capability
           exists. This can be set to either single or halt.
    
           The  disk_error_action should be set to syslog, single, or halt depend-
           ing on your local policies regarding handling of hardware malfunctions.
    
           Specifying  a  single allowed client port may make it difficult for the
           client to restart their audit subsystem, as it will be unable to recre-
           ate  a connection with the same host addresses and ports until the con-
           nection closure TIME_WAIT state times out.
    
    
    

    FILES

           /etc/audit/auditd.conf
                  Audit daemon configuration file
    
    
    

    SEE ALSO

           auditd(8), audisp-remote.conf(5).
    
    
    

    AUTHOR

           Steve Grubb
    
    
    

    Red Hat Dec 2008 AUDITD.CONF:(5)

    
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz