1 .\" Copyright (c) 2012 The FreeBSD Foundation
2 .\" All rights reserved.
4 .\" This documentation was written by Pawel Jakub Dawidek under sponsorship
5 .\" from the FreeBSD Foundation.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
16 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 .Nd configuration file for the
39 Note: the configuration file may contain passwords.
40 Care should be taken to configure proper permissions on this file
43 Every line starting with # is treated as comment and ignored.
44 .Sh CONFIGURATION FILE SYNTAX
52 # The default is first part of the hostname.
60 # The default is "/var/run/auditdistd.pid".
66 # Source address for connections.
70 # Directory with audit trail files managed by auditdistd.
71 # The default is /var/audit/dist.
74 .\" # Checksum algorithm for data send over the wire.
75 .\" # The default is none.
76 .\" checksum "<algorithm>"
78 .\" # Compression algorithm for data send over the wire.
79 .\" # The default is none.
80 .\" compression "<algorithm>"
82 # Configuration for the target system we want to send audit trail
85 # Source address for connections.
89 # Address of auditdistd receiver.
90 # No default. Obligatory.
93 # Directory with audit trail files managed by auditdistd.
94 # The default is /var/audit/dist.
97 # Fingerprint of the receiver's public key when using TLS
99 # Example fingerprint:
100 # SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30:14:D7:F9:AA:8B:3E:73:CD:F5:76:2B
101 fingerprint "<algorithm=hash>"
103 # Password used to authenticate in front of the receiver.
104 password "<password>"
106 .\" # Checksum algorithm for data send over the wire.
107 .\" # The default is none.
108 .\" checksum "<algorithm>"
110 .\" # Compression algorithm for data send over the wire.
111 .\" # The default is none.
112 .\" compression "<algorithm>"
115 # Currently local audit trail files can be send only to one remote
116 # auditdistd receiver, but this can change in the future.
122 # Address to listen on. Multiple listen addresses might be specified.
123 # The defaults are "tcp4://0.0.0.0:7878" and "tcp6://[::]:7878".
127 # If directory in host section is no absolute, it will be concatenated
128 # with this base directory.
129 # The default is "/var/audit/remote".
130 directory "<basedir>"
132 # Path to receiver's certificate file.
133 # The default is "/etc/security/auditdistd.cert.pem".
136 # Path to receiver's private key file.
137 # The default is "/etc/security/auditdistd.key.pem".
140 # Configuration for a source system we want to receive audit trail
144 # No default. Obligatory.
147 # Directory where to store audit trail files received
148 # from system <name>.
149 # The default is "<basedir>/<name>".
152 # Password used by the sender to authenticate.
153 password "<password>"
156 # Multiple hosts to receive from can be configured.
160 Most of the various available configuration parameters are optional.
161 If parameter is not defined in the particular section, it will be
162 inherited from the parent section if possible.
165 parameter is not defined in the
167 section, it will be inherited from the
172 section does not define the
174 parameter at all, the default value will be used.
175 .Sh CONFIGURATION FILE DESCRIPTION
176 The following statements are available:
177 .Bl -tag -width ".Ic xxxx"
181 It is send to the receiver, so it can properly recognize us if there are
182 more than one sender coming from the same IP address.
183 .It Ic timeout Aq seconds
185 Connection timeout in seconds.
188 .It Ic pidfile Aq path
190 File in which to store the process ID of the main
195 .Pa /var/run/auditdistd.pid .
196 .It Ic source Aq addr
198 Local address to bind to before connecting to the remote
201 Format is the same as for the
204 .It Ic directory Aq path
206 Directory where to look for audit trail files in case of sender mode or
207 directory where to store received audit trail files.
208 The provided path has to be an absolute path.
209 The only exception is when directory is provided in the
211 section, then path provided in the
213 subsections can be relative to the directory in the
221 .Pa /var/audit/remote
225 .Pa /var/audit/remote/<name>
233 .\".It Ic checksum Aq algorithm
235 .\"Checksum algorithm should be one of the following:
236 .\".Bl -tag -width ".Ic sha256"
238 .\"No checksum will be calculated for the data being send over the network.
239 .\"This is the default setting.
241 .\"CRC32 checksum will be calculated.
243 .\"SHA256 checksum will be calculated.
245 .\".It Ic compression Aq algorithm
247 .\"Compression algorithm should be one of the following:
248 .\".Bl -tag -width ".Ic none"
250 .\"Data send over the network will not be compressed.
251 .\"This is the default setting.
256 .\".An Marc Alexander Lehmann
257 .\"will be used to compress the data send over the network.
259 .\"is very fast, general purpose compression algorithm.
261 .It Ic remote Aq addr
263 Address of the remote
266 Format is the same as for the
269 When operating in the
271 mode this address will be used to connect to the
273 When operating in the
275 mode only connections from this address will be accepted.
276 .It Ic listen Aq addr
278 Address to listen on in form of:
279 .Bd -literal -offset indent
280 protocol://protocol-specific-address
283 Each of the following examples defines the same listen address:
284 .Bd -literal -offset indent
293 Multiple listen addresses can be specified.
297 .Pa tcp4://0.0.0.0:7878
300 if kernel supports IPv4 and IPv6 respectively.
301 .It Ic keyfile Aq path
303 Path to a file that contains private key for TLS communication.
304 .It Ic certfile Aq path
306 Path to a file that contains certificate for TLS communication.
307 .It Ic fingerprint Aq algo=hash
309 Finger print of the receiver's public key.
310 Currently only SHA256 algorithm is supported.
311 Certificate public key's fingerprint ready to be pasted into auditdistd
312 configuration file can be obtained by running:
314 # openssl x509 -in /etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 | awk -F '[ =]' '{printf("%s=%s\\n", $1, $3)}'
316 .It Ic password Aq password
318 Password used to authenticate the sender in front of the receiver.
321 .Bl -tag -width ".Pa /etc/security/auditdistd.conf" -compact
322 .It Pa /etc/security/auditdistd.conf
328 The example configuration files can look as follows.
331 .Bd -literal -offset indent
340 .Bd -literal -offset indent
360 .An Pawel Jakub Dawidek Aq pawel@dawidek.net
361 under sponsorship of the FreeBSD Foundation.