1AUDITD.CONF(5)          System Administration Utilities         AUDITD.CONF(5)
2
3
4

NAME

6       auditd.conf - audit daemon configuration file
7

DESCRIPTION

9       The file /etc/audit/auditd.conf contains configuration information spe‐
10       cific to the audit daemon. Each line should contain  one  configuration
11       keyword,  an equal sign, and then followed by appropriate configuration
12       information. All option names and values are case insensitive. The key‐
13       words  recognized  are  listed and described below. Each line should be
14       limited to 160 characters or the line will be skipped. You may add com‐
15       ments to the file by starting the line with a '#' character.
16
17
18       local_events
19              This  yes/no  keyword  specifies whether or not to include local
20              events. Normally you want local events so the default  value  is
21              yes.  Cases  where  you would set this to no is when you want to
22              aggregate events only from the network. At the moment,  this  is
23              useful  if  the audit daemon is running in a container. This op‐
24              tion can only be set once at daemon start up. Reloading the con‐
25              fig file has no effect.
26
27       log_file
28              This  keyword specifies the full path name to the log file where
29              audit records will be stored. It must be a regular file.
30
31       write_logs
32              This yes/no keyword determines whether or not to write  logs  to
33              the disk.  Normally you want this so the default is yes.
34
35       log_format
36              The log format describes how the information should be stored on
37              disk. There are 2 options: raw and enriched. If set to RAW,  the
38              audit  records  will be stored in a format exactly as the kernel
39              sends it.  The  ENRICHED  option  will  resolve  all  uid,  gid,
40              syscall,  architecture,  and  socket  address information before
41              writing the event to disk. This aids in making sense  of  events
42              created  on  one system but reported/analyzed on another system.
43              The NOLOG option is now deprecated. If  you  were  setting  this
44              format, now you should set the write_logs option to no.
45
46       log_group
47              This  keyword  specifies  the  group  that is applied to the log
48              file's permissions. The default is root. The group name  can  be
49              either numeric or spelled out.
50
51       priority_boost
52              This  is  a  non-negative number that tells the audit daemon how
53              much of a priority boost it should take. The default  is  4.  No
54              change is 0.
55
56       flush  Valid  values  are  none,  incremental, incremental_async, data,
57              and sync.  If set to none, no special effort is  made  to  flush
58              the  audit records to disk. If set to incremental, Then the freq
59              parameter is used to determine how often an  explicit  flush  to
60              disk  is  issued.   The incremental_async parameter is very much
61              like incremental except the flushing is done asynchronously  for
62              higher performance. The data parameter tells the audit daemon to
63              keep the data portion of the disk file sync'd at all times.  The
64              sync  option  tells  the  audit daemon to keep both the data and
65              meta-data fully sync'd with every write  to  disk.  The  default
66              value is incremental_async.
67
68       freq   This  is  a  non-negative number that tells the audit daemon how
69              many records to write before issuing an explicit flush  to  disk
70              command.  This value is only valid when the flush keyword is set
71              to incremental or incremental_async.
72
73       num_logs
74              This keyword specifies the number of log files to keep if rotate
75              is given as the max_log_file_action.  If the number is < 2, logs
76              are not rotated. This number must be 999 or less.   The  default
77              is  0  -  which means no rotation. As you increase the number of
78              log files being rotated, you may need to adjust the kernel back‐
79              log  setting  upwards  since  it  takes  more time to rotate the
80              files. This is typically done in /etc/audit/audit.rules. If  log
81              rotation  is  configured to occur, the daemon will check for ex‐
82              cess logs and remove them in effort to keep  disk  space  avail‐
83              able.  The  excess  log check is only done on startup and when a
84              reconfigure results in a space check.
85
86       name_format
87              This option controls how computer node names are  inserted  into
88              the  audit  event  stream.  It  has the following choices: none,
89              hostname, fqd, numeric, and user.  None means that  no  computer
90              name is inserted into the audit event.  hostname is the name re‐
91              turned by the gethostname syscall. The fqd means that  it  takes
92              the  hostname and resolves it with dns for a fully qualified do‐
93              main name of that machine.  Numeric is similar to fqd except  it
94              resolves the IP address of the machine. In order to use this op‐
95              tion, you might want to test that 'hostname -i'  or  'domainname
96              -i'  returns  a numeric address. Also, this option is not recom‐
97              mended if dhcp is used because  you  could  have  different  ad‐
98              dresses  over  time  for the same machine.  User is an admin de‐
99              fined string from the name option. The default value is none.
100
101       name   This is the admin defined string that identifies the machine  if
102              user is given as the name_format option.
103
104       max_log_file
105              This  keyword specifies the maximum file size in megabytes. When
106              this limit is reached, it will trigger  a  configurable  action.
107              The value given must be numeric.
108
109       max_log_file_action
110              This  parameter  tells  the  system what action to take when the
111              system has detected that  the  max  file  size  limit  has  been
112              reached.  Valid  values  are ignore, syslog, suspend, rotate and
113              keep_logs.  If set to ignore, the  audit  daemon  does  nothing.
114              syslog  means  that  it will issue a warning to syslog.  suspend
115              will cause the audit daemon to stop writing records to the disk.
116              The daemon will still be alive. The rotate option will cause the
117              audit daemon to rotate the logs. It should be  noted  that  logs
118              with higher numbers are older than logs with lower numbers. This
119              is the same  convention  used  by  the  logrotate  utility.  The
120              keep_logs option is similar to rotate except it does not use the
121              num_logs setting. This prevents audit logs from being  overwrit‐
122              ten.  The  effect  is that logs accumulate and are not deleted -
123              which will trigger the space_left_action if the volume fills up.
124              This is best used in combination with an external script used to
125              archive logs on a periodic basis.
126
127       verify_email
128              This option  determines  if  the  email  address  given  in  ac‐
129              tion_mail_acct  is  checked to see if the domain name can be re‐
130              solved. This option must be given before action_mail_acct or the
131              default value of yes will be used.
132
133       action_mail_acct
134              This  option  should contain a valid email address or alias. The
135              default address is root. If the email address is  not  local  to
136              the  machine, you must make sure you have email properly config‐
137              ured on your machine and network.  Also,  this  option  requires
138              that /usr/lib/sendmail exists on the machine.
139
140       space_left
141              If  the  free  space in the filesystem containing log_file drops
142              below this value, the audit daemon takes the action specified by
143              space_left_action.  If the value of space_left is specified as a
144              whole number, it is interpreted as an absolute size in megabytes
145              (MiB).   If  the value is specified as a number between 1 and 99
146              followed by a percentage sign (e.g., 5%), the audit daemon  cal‐
147              culates  the absolute size in megabytes based on the size of the
148              filesystem containing log_file.  (E.g., if the  filesystem  con‐
149              taining  log_file  is 2 gigabytes in size, and space_left is set
150              to 25%, then the audit daemon sets space_left  to  approximately
151              500 megabytes.  Note that this calculation is performed when the
152              audit daemon starts, so if you resize the filesystem  containing
153              log_file  while the audit daemon is running, you should send the
154              audit daemon SIGHUP to re-read the configuration file and recal‐
155              culate the correct percentage.
156
157       space_left_action
158              This  parameter  tells  the  system what action to take when the
159              system has detected that it is  starting  to  get  low  on  disk
160              space.   Valid  values  are ignore, syslog, rotate, email, exec,
161              suspend, single, and halt.  If set to ignore, the  audit  daemon
162              does nothing.  syslog means that it will issue a warning to sys‐
163              log.  rotate will rotate logs, losing  the  oldest  to  free  up
164              space.  Email means that it will send a warning to the email ac‐
165              count specified in action_mail_acct as well as sending the  mes‐
166              sage  to  syslog.  exec /path-to-script will execute the script.
167              You cannot pass parameters to the script. The script is also re‐
168              sponsible  for  telling the auditd daemon to resume logging once
169              its completed its action. This can be done by adding service au‐
170              ditd  resume to the script.  suspend will cause the audit daemon
171              to stop writing records to the disk. The daemon  will  still  be
172              alive.  The single option will cause the audit daemon to put the
173              computer system in single user mode. The halt option will  cause
174              the audit daemon to shutdown the computer system. Except for ro‐
175              tate, it will perform this action just one time.
176
177       admin_space_left
178              This is a numeric value in megabytes that tells the audit daemon
179              when to perform a configurable action because the system is run‐
180              ning low on disk space.  This  should  be  considered  the  last
181              chance to do something before running out of disk space. The nu‐
182              meric value for this parameter should be lower than  the  number
183              for  space_left. You may also append a percent sign (e.g. 1%) to
184              the number to have the audit daemon calculate the  number  based
185              on the disk partition size.
186
187       admin_space_left_action
188              This  parameter  tells  the  system what action to take when the
189              system has detected that it is low on disk space.  Valid  values
190              are  ignore,  syslog,  rotate, email, exec, suspend, single, and
191              halt.  If set to ignore, the audit daemon does nothing.   Syslog
192              means  that  it will issue a warning to syslog.  rotate will ro‐
193              tate logs, losing the oldest to free up space.  Email means that
194              it  will  send  a  warning to the email account specified in ac‐
195              tion_mail_acct as well as sending the message to  syslog.   exec
196              /path-to-script will execute the script. You cannot pass parame‐
197              ters to the script. The script is also responsible  for  telling
198              the  auditd  daemon to resume logging once its completed its ac‐
199              tion. This can be done by adding service auditd  resume  to  the
200              script.   Suspend  will  cause  the audit daemon to stop writing
201              records to the disk. The daemon will still be alive. The  single
202              option will cause the audit daemon to put the computer system in
203              single user mode. The halt option will cause the audit daemon to
204              shutdown the computer system. Except for rotate, it will perform
205              this action just one time.
206
207       disk_full_action
208              This parameter tells the system what action  to  take  when  the
209              system  has  detected  that the partition to which log files are
210              written has become full. Valid values are  ignore,  syslog,  ro‐
211              tate,  exec,  suspend,  single, and halt.  If set to ignore, the
212              audit daemon will issue a syslog message but no other action  is
213              taken.   Syslog  means  that  it will issue a warning to syslog.
214              rotate will rotate logs, losing the oldest  to  free  up  space.
215              exec  /path-to-script  will  execute the script. You cannot pass
216              parameters to the script. The script  is  also  responsible  for
217              telling the auditd daemon to resume logging g once its completed
218              its action. This can be done by adding service auditd resume  to
219              the script.  Suspend will cause the audit daemon to stop writing
220              records to the disk. The daemon will still be alive. The  single
221              option will cause the audit daemon to put the computer system in
222              single user mode.  halt option will cause the  audit  daemon  to
223              shutdown the computer system.
224
225       disk_error_action
226              This  parameter  tells  the  system what action to take whenever
227              there is an error detected when writing audit events to disk  or
228              rotating  logs.  Valid values are ignore, syslog, exec, suspend,
229              single, and halt.  If set to ignore, the audit daemon  will  not
230              take any action.  Syslog means that it will issue no more than 5
231              consecutive warnings to syslog.  exec /path-to-script will  exe‐
232              cute the script. You cannot pass parameters to the script.  Sus‐
233              pend will cause the audit daemon to stop writing records to  the
234              disk.  The  daemon  will  still be alive. The single option will
235              cause the audit daemon to put the computer system in single user
236              mode.   halt  option will cause the audit daemon to shutdown the
237              computer system.
238
239       tcp_listen_port
240              This is a numeric value in the range 1..65535 which,  if  speci‐
241              fied,  causes auditd to listen on the corresponding TCP port for
242              audit records from remote  systems.  The  audit  daemon  may  be
243              linked with tcp_wrappers. You may want to control access with an
244              entry in the hosts.allow and deny files. If this is deployed  on
245              a  systemd based OS, then you may need to adjust the 'After' di‐
246              rective. See the note in the auditd.service file.
247
248       tcp_listen_queue
249              This is a numeric value which indicates how  many  pending  (re‐
250              quested but unaccepted) connections are allowed.  The default is
251              5.  Setting this too small may cause connections to be  rejected
252              if too many hosts start up at exactly the same time, such as af‐
253              ter a power failure. This setting is only used  for  aggregating
254              servers.  Clients  logging  to  a remote server should keep this
255              commented out.
256
257       tcp_max_per_addr
258              This is a numeric value which indicates how many concurrent con‐
259              nections  from  one IP address is allowed.  The default is 1 and
260              the maximum is 1024. Setting this too large may allow for a  De‐
261              nial of Service attack on the logging server. Also note that the
262              kernel has an internal maximum that will eventually prevent this
263              even  if  auditd allows it by config. The default should be ade‐
264              quate in most cases unless a custom written recovery script runs
265              to  forward  unsent  events. In this case you would increase the
266              number only large enough to let it in too.
267
268       use_libwrap
269              This setting determines whether or not to  use  tcp_wrappers  to
270              discern  connection attempts that are from allowed machines. Le‐
271              gal values are either yes, or no The default value is yes.
272
273       tcp_client_ports
274              This parameter may be a single numeric value or two values sepa‐
275              rated  by a dash (no spaces allowed).  It indicates which client
276              ports are allowed for incoming connections.  If  not  specified,
277              any port is allowed.  Allowed values are 1..65535.  For example,
278              to require the client use a privileged port, specify 1-1023  for
279              this  parameter. You will also need to set the local_port option
280              in the audisp-remote.conf file. Making sure  that  clients  send
281              from  a privileged port is a security feature to prevent log in‐
282              jection attacks by untrusted users.
283
284       tcp_client_max_idle
285              This parameter indicates the number of seconds that a client may
286              be idle (i.e. no data from them at all) before auditd complains.
287              This is used to close inactive connections if the client machine
288              has  a  problem where it cannot shutdown the connection cleanly.
289              Note that this is a global setting, and must be higher than  any
290              individual  client  heartbeat_timeout  setting,  preferably by a
291              factor of two.  The default is zero, which disables this check.
292
293       transport
294              If set to TCP, only clear text tcp connections will be used.  If
295              set to KRB5, then Kerberos 5 will be used for authentication and
296              encryption. The default value is TCP.
297
298       enable_krb5
299              This option is deprecated. Use the transport  option  above  in‐
300              stead.  If set to "yes", Kerberos 5 will be used for authentica‐
301              tion and encryption.  The default is "no". If this option is set
302              to  "yes"  and it follows the transport option, it will override
303              the transport setting. This would be the normal expected  behav‐
304              ior for backwards compatibility.
305
306       krb5_principal
307              This is the principal for this server.  The default is "auditd".
308              Given this default, the server will look for a  key  named  like
309              auditd/hostname@EXAMPLE.COM  stored  in  /etc/audit/audit.key to
310              authenticate itself, where hostname is the  canonical  name  for
311              the  server's  host,  as  returned by a DNS lookup of its IP ad‐
312              dress.
313
314       krb5_key_file
315              Location of the key for this client's principal.  Note that  the
316              key  file  must  be owned by root and mode 0400.  The default is
317              /etc/audit/audit.key
318
319       distribute_network
320              If set to "yes", network originating events will be  distributed
321              to the audit dispatcher for processing. The default is "no".
322
323       q_depth
324              This  is a numeric value that tells how big to make the internal
325              queue of the audit event dispatcher. A bigger queue lets it han‐
326              dle a flood of events better, but could hold events that are not
327              processed when the daemon is terminated. If you get messages  in
328              syslog  about  events  getting dropped, increase this value. The
329              default value is 2000.
330
331       overflow_action
332              This option determines how the daemon should react to  overflow‐
333              ing  its  internal  queue. When this happens, it means that more
334              events are being received than it can pass along to  child  pro‐
335              cesses.  This  error  means that it is going to lose the current
336              event that it's trying to dispatch. This option has the  follow‐
337              ing  choices: ignore, syslog, suspend, single, and halt.  If set
338              to ignore, the audit daemon does nothing.  syslog means that  it
339              will  issue  a  warning to syslog.  suspend will cause the audit
340              daemon to stop sending events to  child  processes.  The  daemon
341              will still be alive. The single option will cause the audit dae‐
342              mon to put the computer system in single user mode.  halt option
343              will cause the audit daemon to shutdown the computer system.
344
345       max_restarts
346              This  is  a  non-negative number that tells the audit event dis‐
347              patcher how many times it can try to restart a  crashed  plugin.
348              The default is 10.
349
350       plugin_dir
351              This  is  the  location  that  auditd will use to search for its
352              plugin configuration files.
353
354       end_of_event_timeout
355              This is a non-negative number of seconds used by  the  userspace
356              auparse()  library  routines  and  the aureport(8) , ausearch(8)
357              utilities to consider an event is complete when parsing an event
358              log  stream. For an event stream being processed, if the time of
359              the current event is over end_of_event_timeout seconds old, com‐
360              pared  to  co-located  events, then the event is considered com‐
361              plete. See the NOTES section for more detail.
362

NOTES

364       In a CAPP environment, the audit trail is considered so important  that
365       access  to  system resources must be denied if an audit trail cannot be
366       created. In this environment, it would be suggested that /var/log/audit
367       be  on its own partition. This is to ensure that space detection is ac‐
368       curate and that no other process comes along and consumes part of it.
369
370       The flush parameter should be set to sync or data.
371
372       Max_log_file and num_logs need to be adjusted so that you get  complete
373       use of your partition. It should be noted that the more files that have
374       to be rotated, the longer it takes  to  get  back  to  receiving  audit
375       events. Max_log_file_action should be set to keep_logs.
376
377       Space_left  should  be set to a number that gives the admin enough time
378       to react to any alert message and perform some maintenance to  free  up
379       disk space. This would typically involve running the aureport -t report
380       and moving the oldest logs to an archive area. The value of  space_left
381       is  site  dependent since the rate at which events are generated varies
382       with each deployment. The space_left_action is recommended to be set to
383       email.  If  you  need something like an snmp trap, you can use the exec
384       option to send one.
385
386       Admin_space_left should be set to the amount of disk space on the audit
387       partition needed for admin actions to be recorded. Admin_space_left_ac‐
388       tion would be set to single so that use of the machine is restricted to
389       just the console.
390
391       The  disk_full_action is triggered when no more room exists on the par‐
392       tition. All access should be terminated since no more audit  capability
393       exists. This can be set to either single or halt.
394
395       The  disk_error_action should be set to syslog, single, or halt depend‐
396       ing on your local policies regarding handling of hardware malfunctions.
397
398       Specifying a single allowed client port may make it difficult  for  the
399       client to restart their audit subsystem, as it will be unable to recre‐
400       ate a connection with the same host addresses and ports until the  con‐
401       nection closure TIME_WAIT state times out.
402
403
404       Auditd  events  are  made  up of one or more records. The auditd system
405       cannot guarantee that the set of records that make up an event will oc‐
406       cur  atomically,  that  is  the stream will have interleaved records of
407       different events, IE
408
409              event0_record0
410              event1_record0
411              event2_record0
412              event1_record3
413              event2_record1
414              event1_record4
415              event3_record0
416
417       The auditd system does not guarantee that the records that make  up  an
418       event  will  appear  in  order. Thus, when processing event streams, we
419       need to maintain a list of events with their own list of records  hence
420       List of List (LOL) event processing.
421
422       When processing an event stream we define the end of an event via
423
424              record type = AUDIT_EOE (audit end of event type record), or
425              record  type  =  AUDIT_PROCTITLE (we note the AUDIT_PROCTITLE is
426              always the last record), or
427              record  type  =  AUDIT_KERNEL  (kernel  events  are  one  record
428              events), or
429              record  type  < AUDIT_FIRST_EVENT (only single record events ap‐
430              pear before this type), or
431              record type >= AUDIT_FIRST_ANOM_MSG (only single  record  events
432              appear after this type), or
433              record  type  >=  AUDIT_MAC_UNLBL_ALLOW  &&  record  type <= AU‐
434              DIT_MAC_CALIPSO_DEL (these are also one record events), or
435              for the stream being processed, the time of the  event  is  over
436              end_of_event_timeout seconds old.
437
438

FILES

440       /etc/audit/auditd.conf
441              Audit daemon configuration file
442
443

SEE ALSO

445       auditd(8), audisp-remote.conf(5), auditd-plugins(5).
446
447

AUTHOR

449       Steve Grubb
450
451
452
453Red Hat                           August 2018                   AUDITD.CONF(5)
Impressum