1AUDITD.CONF:(5) System Administration Utilities AUDITD.CONF:(5)
2
3
4
6 auditd.conf - audit daemon configuration file
7
9 The file /etc/audit/auditd.conf contains configuration information spe‐
10 cific to the audit daemon. Each line should contain one configuration
11 keyword, an equal sign, and then followed by appropriate configuration
12 information. All option names and values are case insensitive. The key‐
13 words recognized are listed and described below. Each line should be
14 limited to 160 characters or the line will be skipped. You may add com‐
15 ments to the file by starting the line with a '#' character.
16
17
18 log_file
19 This keyword specifies the full path name to the log file where
20 audit records will be stored. It must be a regular file.
21
22 log_format
23 The log format describes how the information should be stored on
24 disk. There are 2 options: raw and nolog. If set to RAW, the
25 audit records will be stored in a format exactly as the kernel
26 sends it. If this option is set to NOLOG then all audit informa‐
27 tion is discarded instead of writing to disk. This mode does not
28 affect data sent to the audit event dispatcher.
29
30 log_group
31 This keyword specifies the group that is applied to the log
32 file's permissions. The default is root. The group name can be
33 either numeric or spelled out.
34
35 priority_boost
36 This is a non-negative number that tells the audit daemon how
37 much of a priority boost it should take. The default is 4. No
38 change is 0.
39
40 flush Valid values are none, incremental, incremental_async, data,
41 and sync. If set to none, no special effort is made to flush
42 the audit records to disk. If set to incremental, Then the freq
43 parameter is used to determine how often an explicit flush to
44 disk is issued. The incremental_async parameter is very much
45 like incremental except the flushing is done asynchronously for
46 higher performance. The data parameter tells the audit daemon to
47 keep the data portion of the disk file sync'd at all times. The
48 sync option tells the audit daemon to keep both the data and
49 meta-data fully sync'd with every write to disk.
50
51 freq This is a non-negative number that tells the audit daemon how
52 many records to write before issuing an explicit flush to disk
53 command. This value is only valid when the flush keyword is set
54 to incremental.
55
56 num_logs
57 This keyword specifies the number of log files to keep if rotate
58 is given as the max_log_file_action. If the number is < 2, logs
59 are not rotated. This number must be 99 or less. The default is
60 0 - which means no rotation. As you increase the number of log
61 files being rotated, you may need to adjust the kernel backlog
62 setting upwards since it takes more time to rotate the files.
63 This is typically done in /etc/audit/audit.rules. If log rota‐
64 tion is configured to occur, the daemon will check for excess
65 logs and remove them in effort to keep disk space available. The
66 excess log check is only done on startup and when a reconfigure
67 results in a space check.
68
69 disp_qos
70 This option controls whether you want blocking/lossless or non-
71 blocking/lossy communication between the audit daemon and the
72 dispatcher. There is a 128k buffer between the audit daemon and
73 dispatcher. This is good enogh for most uses. If lossy is cho‐
74 sen, incoming events going to the dispatcher are discarded when
75 this queue is full. (Events are still written to disk if
76 log_format is not nolog.) Otherwise the auditd daemon will wait
77 for the queue to have an empty spot before logging to disk. The
78 risk is that while the daemon is waiting for network IO, an
79 event is not being recorded to disk. Valid values are: lossy and
80 lossless. Lossy is the default value.
81
82 dispatcher
83 The dispatcher is a program that is started by the audit daemon
84 when it starts up. It will pass a copy of all audit events to
85 that application's stdin. Make sure you trust the application
86 that you add to this line since it runs with root privileges.
87
88 name_format
89 This option controls how computer node names are inserted into
90 the audit event stream. It has the following choices: none,
91 hostname, fqd, numeric, and user. None means that no computer
92 name is inserted into the audit event. hostname is the name
93 returned by the gethostname syscall. The fqd means that it takes
94 the hostname and resolves it with dns for a fully qualified
95 domain name of that machine. Numeric is similar to fqd except
96 it resolves the IP address of the machine. In order to use this
97 option, you might want to test that 'hostname -i' or 'domainname
98 -i' returns a numeric address. Also, this option is not recom‐
99 mended if dhcp is used because you could have different
100 addresses over time for the same machine. User is an admin
101 defined string from the name option. The default value is none.
102
103 name This is the admin defined string that identifies the machine if
104 user is given as the name_format option.
105
106 max_log_file
107 This keyword specifies the maximum file size in megabytes. When
108 this limit is reached, it will trigger a configurable action.
109 The value given must be numeric.
110
111 max_log_file_action
112 This parameter tells the system what action to take when the
113 system has detected that the max file size limit has been
114 reached. Valid values are ignore, syslog, suspend, rotate and
115 keep_logs. If set to ignore, the audit daemon does nothing.
116 syslog means that it will issue a warning to syslog. suspend
117 will cause the audit daemon to stop writing records to the disk.
118 The daemon will still be alive. The rotate option will cause the
119 audit daemon to rotate the logs. It should be noted that logs
120 with higher numbers are older than logs with lower numbers. This
121 is the same convention used by the logrotate utility. The
122 keep_logs option is similar to rotate except it does not use the
123 num_logs setting. This prevents audit logs from being overwrit‐
124 ten. The effect is that logs accumulate and are not deleted -
125 which will trigger the space_left_action if the volume fills up.
126 This is best used in combination with an external script used to
127 archive logs on a periodic basis.
128
129 action_mail_acct
130 This option should contain a valid email address or alias. The
131 default address is root. If the email address is not local to
132 the machine, you must make sure you have email properly config‐
133 ured on your machine and network. Also, this option requires
134 that /usr/lib/sendmail exists on the machine.
135
136 space_left
137 This is a numeric value in megabytes that tells the audit daemon
138 when to perform a configurable action because the system is
139 starting to run low on disk space.
140
141 space_left_action
142 This parameter tells the system what action to take when the
143 system has detected that it is starting to get low on disk
144 space. Valid values are ignore, syslog, rotate, email, exec,
145 suspend, single, and halt. If set to ignore, the audit daemon
146 does nothing. syslog means that it will issue a warning to sys‐
147 log. rotate will rotate logs, losing the oldest to free up
148 space. Email means that it will send a warning to the email
149 account specified in action_mail_acct as well as sending the
150 message to syslog. exec /path-to-script will execute the
151 script. You cannot pass parameters to the script. The script is
152 also responsible for telling the auditd daemon to resume logging
153 once its completed its action. This can be done by adding ser‐
154 vice auditd resume to the script. suspend will cause the audit
155 daemon to stop writing records to the disk. The daemon will
156 still be alive. The single option will cause the audit daemon to
157 put the computer system in single user mode. The halt option
158 will cause the audit daemon to shutdown the computer system.
159
160 admin_space_left
161 This is a numeric value in megabytes that tells the audit daemon
162 when to perform a configurable action because the system is run‐
163 ning low on disk space. This should be considered the last
164 chance to do something before running out of disk space. The
165 numeric value for this parameter should be lower than the number
166 for space_left.
167
168 admin_space_left_action
169 This parameter tells the system what action to take when the
170 system has detected that it is low on disk space. Valid values
171 are ignore, syslog, rotate, email, exec, suspend, single, and
172 halt. If set to ignore, the audit daemon does nothing. Syslog
173 means that it will issue a warning to syslog. rotate will
174 rotate logs, losing the oldest to free up space. Email means
175 that it will send a warning to the email account specified in
176 action_mail_acct as well as sending the message to syslog. exec
177 /path-to-script will execute the script. You cannot pass parame‐
178 ters to the script. The script is also responsible for telling
179 the auditd daemon to resume logging once its completed its
180 action. This can be done by adding service auditd resume to the
181 script. Suspend will cause the audit daemon to stop writing
182 records to the disk. The daemon will still be alive. The single
183 option will cause the audit daemon to put the computer system in
184 single user mode. The halt option will cause the audit daemon to
185 shutdown the computer system.
186
187 disk_full_action
188 This parameter tells the system what action to take when the
189 system has detected that the partition to which log files are
190 written has become full. Valid values are ignore, syslog,
191 rotate, exec, suspend, single, and halt. If set to ignore, the
192 audit daemon will issue a syslog message but no other action is
193 taken. Syslog means that it will issue a warning to syslog.
194 rotate will rotate logs, losing the oldest to free up space.
195 exec /path-to-script will execute the script. You cannot pass
196 parameters to the script. The script is also responsible for
197 telling the auditd daemon to resume loggin g once its completed
198 its action. This can be done by adding service auditd resume to
199 the script. Suspend will cause the audit daemon to stop writing
200 records to the disk. The daemon will still be alive. The single
201 option will cause the audit daemon to put the computer system in
202 single user mode. halt option will cause the audit daemon to
203 shutdown the computer system.
204
205 disk_error_action
206 This parameter tells the system what action to take whenever
207 there is an error detected when writing audit events to disk or
208 rotating logs. Valid values are ignore, syslog, exec, suspend,
209 single, and halt. If set to ignore, the audit daemon will not
210 take any action. Syslog means that it will issue no more than 5
211 consecutive warnings to syslog. exec /path-to-script will exe‐
212 cute the script. You cannot pass parameters to the script. Sus‐
213 pend will cause the audit daemon to stop writing records to the
214 disk. The daemon will still be alive. The single option will
215 cause the audit daemon to put the computer system in single user
216 mode. halt option will cause the audit daemon to shutdown the
217 computer system.
218
219 tcp_listen_port
220 This is a numeric value in the range 1..65535 which, if speci‐
221 fied, causes auditd to listen on the corresponding TCP port for
222 audit records from remote systems. The audit daemon may be
223 linked with tcp_wrappers. You may want to control access with an
224 entry in the hosts.allow and deny files.
225
226 tcp_listen_queue
227 This is a numeric value which indicates how many pending
228 (requested but unaccepted) connections are allowed. The default
229 is 5. Setting this too small may cause connections to be
230 rejected if too many hosts start up at exactly the same time,
231 such as after a power failure.
232
233 tcp_max_per_addr
234 This is a numeric value which indicates how many concurrent con‐
235 nections from one IP address is allowed. The default is 1 and
236 the maximum is 1024. Setting this too large may allow for a
237 Denial of Service attack on the logging server. Also note that
238 the kernel has an internal maximum that will eventually prevent
239 this even if auditd allows it by config. The default should be
240 adequate in most cases unless a custom written recovery script
241 runs to forward unsent events. In this case you would increase
242 the number only large enough to let it in too.
243
244 use_libwrap
245 This setting determines whether or not to use tcp_wrappers to
246 discern connection attempts that are from allowed machines.
247 Legal values are either yes, or no The default value is yes.
248
249 tcp_client_ports
250 This parameter may be a single numeric value or two values sepa‐
251 rated by a dash (no spaces allowed). It indicates which client
252 ports are allowed for incoming connections. If not specified,
253 any port is allowed. Allowed values are 1..65535. For example,
254 to require the client use a priviledged port, specify 1-1023 for
255 this parameter. You will also need to set the local_port option
256 in the audisp-remote.conf file. Making sure that clients send
257 from a privileged port is a security feature to prevent log
258 injection attacks by untrusted users.
259
260 tcp_client_max_idle
261 This parameter indicates the number of seconds that a client may
262 be idle (i.e. no data from them at all) before auditd complains.
263 This is used to close inactive connections if the client machine
264 has a problem where it cannot shutdown the connection cleanly.
265 Note that this is a global setting, and must be higher than any
266 individual client heartbeat_timeout setting, preferably by a
267 factor of two. The default is zero, which disables this check.
268
269 enable_krb5
270 If set to "yes", Kerberos 5 will be used for authentication and
271 encryption. The default is "no".
272
273 krb5_principal
274 This is the principal for this server. The default is "auditd".
275 Given this default, the server will look for a key named like
276 auditd/hostname@EXAMPLE.COM stored in /etc/audit/audit.key to
277 authenticate itself, where hostname is the canonical name for
278 the server's host, as returned by a DNS lookup of its IP
279 address.
280
281 krb5_key_file
282 Location of the key for this client's principal. Note that the
283 key file must be owned by root and mode 0400. The default is
284 /etc/audit/audit.key
285
286
288 In a CAPP environment, the audit trail is considered so important that
289 access to system resources must be denied if an audit trail cannot be
290 created. In this environment, it would be suggested that /var/log/audit
291 be on its own partition. This is to ensure that space detection is
292 accurate and that no other process comes along and consumes part of it.
293
294 The flush parameter should be set to sync or data.
295
296 Max_log_file and num_logs need to be adjusted so that you get complete
297 use of your partition. It should be noted that the more files that have
298 to be rotated, the longer it takes to get back to receiving audit
299 events. Max_log_file_action should be set to keep_logs.
300
301 Space_left should be set to a number that gives the admin enough time
302 to react to any alert message and perform some maintenance to free up
303 disk space. This would typically involve running the aureport -t report
304 and moving the oldest logs to an archive area. The value of space_left
305 is site dependent since the rate at which events are generated varies
306 with each deployment. The space_left_action is recommended to be set to
307 email. If you need something like an snmp trap, you can use the exec
308 option to send one.
309
310 Admin_space_left should be set to the amount of disk space on the audit
311 partition needed for admin actions to be recorded.
312 Admin_space_left_action would be set to single so that use of the
313 machine is restricted to just the console.
314
315 The disk_full_action is triggered when no more room exists on the par‐
316 tition. All access should be terminated since no more audit capability
317 exists. This can be set to either single or halt.
318
319 The disk_error_action should be set to syslog, single, or halt depend‐
320 ing on your local policies regarding handling of hardware malfunctions.
321
322 Specifying a single allowed client port may make it difficult for the
323 client to restart their audit subsystem, as it will be unable to recre‐
324 ate a connection with the same host addresses and ports until the con‐
325 nection closure TIME_WAIT state times out.
326
327
329 /etc/audit/auditd.conf
330 Audit daemon configuration file
331
332
334 auditd(8), audisp-remote.conf(5).
335
336
338 Steve Grubb
339
340
341
342Red Hat March 2014 AUDITD.CONF:(5)