1AUDITD.CONF:(5) System Administration Utilities AUDITD.CONF:(5)
2
3
4
6 auditd.conf - audit daemon configuration file
7
9 The file /etc/audit/auditd.conf contains configuration information spe‐
10 cific to the audit daemon. Each line should contain one configuration
11 keyword, an equal sign, and then followed by appropriate configuration
12 information. All option names and values are case insensitive. The key‐
13 words recognized are listed and described below. Each line should be
14 limited to 160 characters or the line will be skipped. You may add com‐
15 ments to the file by starting the line with a '#' character.
16
17
18 local_events
19 This yes/no keyword specifies whether or not to include local
20 events. Normally you want local events so the default value is
21 yes. Cases where you would set this to no is when you want to
22 aggregate events only from the network. At the moment, this is
23 useful if the audit daemon is running in a container. This
24 option can only be set once at daemon start up. Reloading the
25 config file has no effect.
26
27 log_file
28 This keyword specifies the full path name to the log file where
29 audit records will be stored. It must be a regular file.
30
31 write_logs
32 This yes/no keyword determines whether or not to write logs to
33 the disk. Normally you want this so the default is yes.
34
35 log_format
36 The log format describes how the information should be stored on
37 disk. There are 2 options: raw and enriched. If set to RAW, the
38 audit records will be stored in a format exactly as the kernel
39 sends it. The ENRICHED option will resolve all uid, gid,
40 syscall, architecture, and socket address information before
41 writing the event to disk. This aids in making sense of events
42 created on one system but reported/analyzed on another system.
43 The NOLOG option is now deprecated. If you were setting this
44 format, now you should set the write_logs option to no.
45
46 log_group
47 This keyword specifies the group that is applied to the log
48 file's permissions. The default is root. The group name can be
49 either numeric or spelled out.
50
51 priority_boost
52 This is a non-negative number that tells the audit daemon how
53 much of a priority boost it should take. The default is 4. No
54 change is 0.
55
56 flush Valid values are none, incremental, incremental_async, data,
57 and sync. If set to none, no special effort is made to flush
58 the audit records to disk. If set to incremental, Then the freq
59 parameter is used to determine how often an explicit flush to
60 disk is issued. The incremental_async parameter is very much
61 like incremental except the flushing is done asynchronously for
62 higher performance. The data parameter tells the audit daemon to
63 keep the data portion of the disk file sync'd at all times. The
64 sync option tells the audit daemon to keep both the data and
65 meta-data fully sync'd with every write to disk. The default
66 value is incremental_async.
67
68 freq This is a non-negative number that tells the audit daemon how
69 many records to write before issuing an explicit flush to disk
70 command. This value is only valid when the flush keyword is set
71 to incremental or incremental_async.
72
73 num_logs
74 This keyword specifies the number of log files to keep if rotate
75 is given as the max_log_file_action. If the number is < 2, logs
76 are not rotated. This number must be 999 or less. The default
77 is 0 - which means no rotation. As you increase the number of
78 log files being rotated, you may need to adjust the kernel back‐
79 log setting upwards since it takes more time to rotate the
80 files. This is typically done in /etc/audit/audit.rules. If log
81 rotation is configured to occur, the daemon will check for
82 excess logs and remove them in effort to keep disk space avail‐
83 able. The excess log check is only done on startup and when a
84 reconfigure results in a space check.
85
86 name_format
87 This option controls how computer node names are inserted into
88 the audit event stream. It has the following choices: none,
89 hostname, fqd, numeric, and user. None means that no computer
90 name is inserted into the audit event. hostname is the name
91 returned by the gethostname syscall. The fqd means that it takes
92 the hostname and resolves it with dns for a fully qualified
93 domain name of that machine. Numeric is similar to fqd except
94 it resolves the IP address of the machine. In order to use this
95 option, you might want to test that 'hostname -i' or 'domainname
96 -i' returns a numeric address. Also, this option is not recom‐
97 mended if dhcp is used because you could have different
98 addresses over time for the same machine. User is an admin
99 defined string from the name option. The default value is none.
100
101 name This is the admin defined string that identifies the machine if
102 user is given as the name_format option.
103
104 max_log_file
105 This keyword specifies the maximum file size in megabytes. When
106 this limit is reached, it will trigger a configurable action.
107 The value given must be numeric.
108
109 max_log_file_action
110 This parameter tells the system what action to take when the
111 system has detected that the max file size limit has been
112 reached. Valid values are ignore, syslog, suspend, rotate and
113 keep_logs. If set to ignore, the audit daemon does nothing.
114 syslog means that it will issue a warning to syslog. suspend
115 will cause the audit daemon to stop writing records to the disk.
116 The daemon will still be alive. The rotate option will cause the
117 audit daemon to rotate the logs. It should be noted that logs
118 with higher numbers are older than logs with lower numbers. This
119 is the same convention used by the logrotate utility. The
120 keep_logs option is similar to rotate except it does not use the
121 num_logs setting. This prevents audit logs from being overwrit‐
122 ten. The effect is that logs accumulate and are not deleted -
123 which will trigger the space_left_action if the volume fills up.
124 This is best used in combination with an external script used to
125 archive logs on a periodic basis.
126
127 verify_email
128 This option determines if the email address given in
129 action_mail_acct is checked to see if the domain name can be
130 resolved. This option must be given before action_mail_acct or
131 the default value of yes will be used.
132
133 action_mail_acct
134 This option should contain a valid email address or alias. The
135 default address is root. If the email address is not local to
136 the machine, you must make sure you have email properly config‐
137 ured on your machine and network. Also, this option requires
138 that /usr/lib/sendmail exists on the machine.
139
140 space_left
141 This is a numeric value in megabytes that tells the audit daemon
142 when to perform a configurable action because the system is
143 starting to run low on disk space.
144
145 space_left_action
146 This parameter tells the system what action to take when the
147 system has detected that it is starting to get low on disk
148 space. Valid values are ignore, syslog, rotate, email, exec,
149 suspend, single, and halt. If set to ignore, the audit daemon
150 does nothing. syslog means that it will issue a warning to sys‐
151 log. rotate will rotate logs, losing the oldest to free up
152 space. Email means that it will send a warning to the email
153 account specified in action_mail_acct as well as sending the
154 message to syslog. exec /path-to-script will execute the
155 script. You cannot pass parameters to the script. The script is
156 also responsible for telling the auditd daemon to resume logging
157 once its completed its action. This can be done by adding ser‐
158 vice auditd resume to the script. suspend will cause the audit
159 daemon to stop writing records to the disk. The daemon will
160 still be alive. The single option will cause the audit daemon to
161 put the computer system in single user mode. The halt option
162 will cause the audit daemon to shutdown the computer system.
163
164 admin_space_left
165 This is a numeric value in megabytes that tells the audit daemon
166 when to perform a configurable action because the system is run‐
167 ning low on disk space. This should be considered the last
168 chance to do something before running out of disk space. The
169 numeric value for this parameter should be lower than the number
170 for space_left.
171
172 admin_space_left_action
173 This parameter tells the system what action to take when the
174 system has detected that it is low on disk space. Valid values
175 are ignore, syslog, rotate, email, exec, suspend, single, and
176 halt. If set to ignore, the audit daemon does nothing. Syslog
177 means that it will issue a warning to syslog. rotate will
178 rotate logs, losing the oldest to free up space. Email means
179 that it will send a warning to the email account specified in
180 action_mail_acct as well as sending the message to syslog. exec
181 /path-to-script will execute the script. You cannot pass parame‐
182 ters to the script. The script is also responsible for telling
183 the auditd daemon to resume logging once its completed its
184 action. This can be done by adding service auditd resume to the
185 script. Suspend will cause the audit daemon to stop writing
186 records to the disk. The daemon will still be alive. The single
187 option will cause the audit daemon to put the computer system in
188 single user mode. The halt option will cause the audit daemon to
189 shutdown the computer system.
190
191 disk_full_action
192 This parameter tells the system what action to take when the
193 system has detected that the partition to which log files are
194 written has become full. Valid values are ignore, syslog,
195 rotate, exec, suspend, single, and halt. If set to ignore, the
196 audit daemon will issue a syslog message but no other action is
197 taken. Syslog means that it will issue a warning to syslog.
198 rotate will rotate logs, losing the oldest to free up space.
199 exec /path-to-script will execute the script. You cannot pass
200 parameters to the script. The script is also responsible for
201 telling the auditd daemon to resume logging g once its completed
202 its action. This can be done by adding service auditd resume to
203 the script. Suspend will cause the audit daemon to stop writing
204 records to the disk. The daemon will still be alive. The single
205 option will cause the audit daemon to put the computer system in
206 single user mode. halt option will cause the audit daemon to
207 shutdown the computer system.
208
209 disk_error_action
210 This parameter tells the system what action to take whenever
211 there is an error detected when writing audit events to disk or
212 rotating logs. Valid values are ignore, syslog, exec, suspend,
213 single, and halt. If set to ignore, the audit daemon will not
214 take any action. Syslog means that it will issue no more than 5
215 consecutive warnings to syslog. exec /path-to-script will exe‐
216 cute the script. You cannot pass parameters to the script. Sus‐
217 pend will cause the audit daemon to stop writing records to the
218 disk. The daemon will still be alive. The single option will
219 cause the audit daemon to put the computer system in single user
220 mode. halt option will cause the audit daemon to shutdown the
221 computer system.
222
223 tcp_listen_port
224 This is a numeric value in the range 1..65535 which, if speci‐
225 fied, causes auditd to listen on the corresponding TCP port for
226 audit records from remote systems. The audit daemon may be
227 linked with tcp_wrappers. You may want to control access with an
228 entry in the hosts.allow and deny files. If this is deployed on
229 a systemd based OS, then you may need to adjust the 'After'
230 directive. See the note in the auditd.service file.
231
232 tcp_listen_queue
233 This is a numeric value which indicates how many pending
234 (requested but unaccepted) connections are allowed. The default
235 is 5. Setting this too small may cause connections to be
236 rejected if too many hosts start up at exactly the same time,
237 such as after a power failure. This setting is only used for
238 aggregating servers. Clients logging to a remote server should
239 keep this commented out.
240
241 tcp_max_per_addr
242 This is a numeric value which indicates how many concurrent con‐
243 nections from one IP address is allowed. The default is 1 and
244 the maximum is 1024. Setting this too large may allow for a
245 Denial of Service attack on the logging server. Also note that
246 the kernel has an internal maximum that will eventually prevent
247 this even if auditd allows it by config. The default should be
248 adequate in most cases unless a custom written recovery script
249 runs to forward unsent events. In this case you would increase
250 the number only large enough to let it in too.
251
252 use_libwrap
253 This setting determines whether or not to use tcp_wrappers to
254 discern connection attempts that are from allowed machines.
255 Legal values are either yes, or no The default value is yes.
256
257 tcp_client_ports
258 This parameter may be a single numeric value or two values sepa‐
259 rated by a dash (no spaces allowed). It indicates which client
260 ports are allowed for incoming connections. If not specified,
261 any port is allowed. Allowed values are 1..65535. For example,
262 to require the client use a priviledged port, specify 1-1023 for
263 this parameter. You will also need to set the local_port option
264 in the audisp-remote.conf file. Making sure that clients send
265 from a privileged port is a security feature to prevent log
266 injection attacks by untrusted users.
267
268 tcp_client_max_idle
269 This parameter indicates the number of seconds that a client may
270 be idle (i.e. no data from them at all) before auditd complains.
271 This is used to close inactive connections if the client machine
272 has a problem where it cannot shutdown the connection cleanly.
273 Note that this is a global setting, and must be higher than any
274 individual client heartbeat_timeout setting, preferably by a
275 factor of two. The default is zero, which disables this check.
276
277 transport
278 If set to TCP, only clear text tcp connections will be used. If
279 set to KRB5, then Kerberos 5 will be used for authentication and
280 encryption. The default value is TCP.
281
282 enable_krb5
283 This option is deprecated. Use the transport option above
284 instead. If set to "yes", Kerberos 5 will be used for authenti‐
285 cation and encryption. The default is "no". If this option is
286 set to "yes" and it follows the transport option, it will over‐
287 ride the transport setting. This would be the normal expected
288 behavior for backwards compatibility.
289
290 krb5_principal
291 This is the principal for this server. The default is "auditd".
292 Given this default, the server will look for a key named like
293 auditd/hostname@EXAMPLE.COM stored in /etc/audit/audit.key to
294 authenticate itself, where hostname is the canonical name for
295 the server's host, as returned by a DNS lookup of its IP
296 address.
297
298 krb5_key_file
299 Location of the key for this client's principal. Note that the
300 key file must be owned by root and mode 0400. The default is
301 /etc/audit/audit.key
302
303 distribute_network
304 If set to "yes", network originating events will be distributed
305 to the audit dispatcher for processing. The default is "no".
306
307 q_depth
308 This is a numeric value that tells how big to make the internal
309 queue of the audit event dispatcher. A bigger queue lets it han‐
310 dle a flood of events better, but could hold events that are not
311 processed when the daemon is terminated. If you get messages in
312 syslog about events getting dropped, increase this value. The
313 default value is 400.
314
315 overflow_action
316 This option determines how the daemon should react to overflow‐
317 ing its internal queue. When this happens, it means that more
318 events are being received than it can pass along to child pro‐
319 cesses. This error means that it is going to lose the current
320 event that it's trying to dispatch. This option has the follow‐
321 ing choices: ignore, syslog, suspend, single, and halt. If set
322 to ignore, the audit daemon does nothing. syslog means that it
323 will issue a warning to syslog. suspend will cause the audit
324 daemon to stop sending events to child processes. The daemon
325 will still be alive. The single option will cause the audit dae‐
326 mon to put the computer system in single user mode. halt option
327 will cause the audit daemon to shutdown the computer system.
328
329 max_restarts
330 This is a non-negative number that tells the audit event dis‐
331 patcher how many times it can try to restart a crashed plugin.
332 The default is 10.
333
334 plugin_dir
335 This is the location that auditd will use to search for its
336 plugin configuration files.
337
338
340 In a CAPP environment, the audit trail is considered so important that
341 access to system resources must be denied if an audit trail cannot be
342 created. In this environment, it would be suggested that /var/log/audit
343 be on its own partition. This is to ensure that space detection is
344 accurate and that no other process comes along and consumes part of it.
345
346 The flush parameter should be set to sync or data.
347
348 Max_log_file and num_logs need to be adjusted so that you get complete
349 use of your partition. It should be noted that the more files that have
350 to be rotated, the longer it takes to get back to receiving audit
351 events. Max_log_file_action should be set to keep_logs.
352
353 Space_left should be set to a number that gives the admin enough time
354 to react to any alert message and perform some maintenance to free up
355 disk space. This would typically involve running the aureport -t report
356 and moving the oldest logs to an archive area. The value of space_left
357 is site dependent since the rate at which events are generated varies
358 with each deployment. The space_left_action is recommended to be set to
359 email. If you need something like an snmp trap, you can use the exec
360 option to send one.
361
362 Admin_space_left should be set to the amount of disk space on the audit
363 partition needed for admin actions to be recorded.
364 Admin_space_left_action would be set to single so that use of the
365 machine is restricted to just the console.
366
367 The disk_full_action is triggered when no more room exists on the par‐
368 tition. All access should be terminated since no more audit capability
369 exists. This can be set to either single or halt.
370
371 The disk_error_action should be set to syslog, single, or halt depend‐
372 ing on your local policies regarding handling of hardware malfunctions.
373
374 Specifying a single allowed client port may make it difficult for the
375 client to restart their audit subsystem, as it will be unable to recre‐
376 ate a connection with the same host addresses and ports until the con‐
377 nection closure TIME_WAIT state times out.
378
379
381 /etc/audit/auditd.conf
382 Audit daemon configuration file
383
384
386 auditd(8), audisp-remote.conf(5), auditd-plugins(5).
387
388
390 Steve Grubb
391
392
393
394Red Hat August 2018 AUDITD.CONF:(5)