1 .\" Copyright (c) 2012 The FreeBSD Foundation
2 .\" All rights reserved.
4 .\" This documentation was written by Pawel Jakub Dawidek under sponsorship
5 .\" from the FreeBSD Foundation.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
16 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 .Nd configuration file for the
39 Note: the configuration file may contain passwords.
40 Care should be taken to configure proper permissions for this file
43 Every line starting with
45 gets treated as a comment and is ignored.
46 .Sh CONFIGURATION FILE SYNTAX
47 The general syntax of the
54 # The default is the first part of the hostname.
62 # The default is "/var/run/auditdistd.pid".
68 # Source address for connections.
72 # Directory with audit trail files managed by auditdistd.
73 # The default is /var/audit/dist.
76 .\" # Checksum algorithm for data sent over the wire.
77 .\" # The default is none.
78 .\" checksum "<algorithm>"
80 .\" # Compression algorithm for data sent over the wire.
81 .\" # The default is none.
82 .\" compression "<algorithm>"
84 # Configuration for the target system we want to send audit trail
87 # Source address for connections.
91 # Address of the auditdistd receiver.
92 # No default. Obligatory.
95 # Directory with audit trail files managed by auditdistd.
96 # The default is /var/audit/dist.
99 # Fingerprint of the receiver's public key when using TLS
101 # Example fingerprint:
102 # SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30:14:D7:F9:AA:8B:3E:73:CD:F5:76:2B
103 fingerprint "<algorithm=hash>"
105 # Password used to authenticate in front of the receiver.
106 password "<password>"
108 .\" # Checksum algorithm for data sent over the wire.
109 .\" # The default is none.
110 .\" checksum "<algorithm>"
112 .\" # Compression algorithm for data sent over the wire.
113 .\" # The default is none.
114 .\" compression "<algorithm>"
117 # Currently local audit trail files can be sent only to one remote
118 # auditdistd receiver, but this can change in the future.
124 # Address to listen on. Multiple listen addresses may be specified.
125 # The defaults are "tcp4://0.0.0.0:7878" and "tcp6://[::]:7878".
129 # If the directory in the host section is not absolute, it will be
130 # concatenated with this base directory.
131 # The default is "/var/audit/remote".
132 directory "<basedir>"
134 # Path to the receiver's certificate file.
135 # The default is "/etc/security/auditdistd.cert.pem".
138 # Path to the receiver's private key file.
139 # The default is "/etc/security/auditdistd.key.pem".
142 # Configuration for a source system we want to receive audit trail
146 # No default. Obligatory.
149 # Directory where to store audit trail files received
150 # from system <name>.
151 # The default is "<basedir>/<name>".
154 # Password used by the sender to authenticate.
155 password "<password>"
158 # Multiple hosts to receive from can be configured.
162 Most of the various available configuration parameters are optional.
163 If a parameter is not defined in the particular section, it will be
164 inherited from the parent section if possible.
167 parameter is not defined in the
169 section, it will be inherited from the
174 section does not define the
176 parameter at all, the default value will be used.
177 .Sh CONFIGURATION OPTION DESCRIPTION
178 The following statements are available:
179 .Bl -tag -width ".Ic xxxx"
183 It is sent to the receiver, so it can properly recognize us if there are
184 multiple senders coming from the same IP address.
185 .It Ic timeout Aq seconds
187 Connection timeout in seconds.
190 .It Ic pidfile Aq path
192 File in which to store the process ID of the main
197 .Pa /var/run/auditdistd.pid .
198 .It Ic source Aq addr
200 Local address to bind to before connecting to the remote
203 The format is the same as for the
206 .It Ic directory Aq path
208 The directory where to look for audit trail files in case of sender mode, or
209 the directory where to store received audit trail files.
210 The provided path has to be an absolute path.
211 The only exception is when the directory is provided in the
213 section; then the path provided in the
215 subsections can be relative to the directory in the
223 .Pa /var/audit/remote
227 .Pa /var/audit/remote/<name>
235 .\".It Ic checksum Aq algorithm
237 .\"Checksum algorithm should be one of the following:
238 .\".Bl -tag -width ".Ic sha256"
240 .\"No checksum will be calculated for the data being sent over the network.
241 .\"This is the default setting.
243 .\"CRC32 checksum will be calculated.
245 .\"SHA256 checksum will be calculated.
247 .\".It Ic compression Aq algorithm
249 .\"Compression algorithm should be one of the following:
250 .\".Bl -tag -width ".Ic none"
252 .\"Data sent over the network will not be compressed.
253 .\"This is the default setting.
258 .\".An Marc Alexander Lehmann
259 .\"will be used to compress the data sent over the network.
261 .\"is a very fast, general purpose compression algorithm.
263 .It Ic remote Aq addr
265 Address of the remote
268 The format is the same as for the
273 mode this address will be used to connect to the
277 mode only connections from this address will be accepted.
278 .It Ic listen Aq addr
280 Address to listen on in form of:
281 .Bd -literal -offset indent
282 protocol://protocol-specific-address
285 Each of the following examples defines the same listen address:
286 .Bd -literal -offset indent
295 Multiple listen addresses can be specified.
299 .Pa tcp4://0.0.0.0:7878
301 .Pa tcp6://[::]:7878 ,
302 if the kernel supports IPv4 and IPv6 respectively.
303 .It Ic keyfile Aq path
305 Path to a file that contains the private key for TLS communication.
306 .It Ic certfile Aq path
308 Path to a file that contains the certificate for TLS communication.
309 .It Ic fingerprint Aq algo=hash
311 Fingerprint of the receiver's public key.
312 Currently only the SHA256 algorithm is supported.
313 The certificate public key's fingerprint ready to be pasted into the
315 configuration file can be obtained by running:
317 # openssl x509 -in /etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 | awk -F '[ =]' '{printf("%s=%s\\n", $1, $3)}'
319 .It Ic password Aq password
321 Password used to authenticate the sender in front of the receiver.
324 .Bl -tag -width ".Pa /etc/security/auditdistd.conf" -compact
325 .It Pa /etc/security/auditdistd.conf
331 The example configuration files can look as follows.
334 .Bd -literal -offset indent
343 .Bd -literal -offset indent
362 daemon was developed by
363 .An Pawel Jakub Dawidek Aq pawel@dawidek.net
364 under sponsorship of the FreeBSD Foundation.