1AUDITD.CONF:(5)         System Administration Utilities        AUDITD.CONF:(5)
2
3
4

NAME

6       auditd.conf - audit daemon configuration file
7

DESCRIPTION

9       The file /etc/audit/auditd.conf contains configuration information spe‐
10       cific to the audit daemon.  It should contain one configuration keyword
11       per line, an equal sign, and then followed by appropriate configuration
12       information.  The  keywords  recognized  are:   log_file,   log_format,
13       log_group,  flush,  freq,  num_logs, max_log_file, max_log_file_action,
14       space_left,  action_mail_acct,   space_left_action,   admin_space_left,
15       admin_space_left_action,   disk_full_action,   and   disk_error_action.
16       These keywords are described below.
17
18
19       log_file
20              This keyword specifies the full path name to the log file  where
21              audit records will be stored. It must be a regular file.
22
23       log_format
24              The log format describes how the information should be stored on
25              disk. There are 2 options: raw and nolog.  If set  to  RAW,  the
26              audit  records  will be stored in a format exactly as the kernel
27              sends it. If this option is set to NOLOG then all audit informa‐
28              tion is discarded instead of writing to disk. This mode does not
29              affect data sent to the audit event dispatcher.
30
31       log_group
32              This keyword specifies the group that  is  applied  to  the  log
33              file's  permissions.  The default is root. The group name can be
34              either numeric or spelled out.
35
36       priority_boost
37              This is a non-negative number that tells  the  audit  damon  how
38              much  of  a  priority boost it should take. The default is 3. No
39              change is 0.
40
41       flush  Valid values are none, incremental, data,  and sync.  If set  to
42              none,  no  special  effort is made to flush the audit records to
43              disk. If set to incremental, Then the freq parameter is used  to
44              determine  how  often  an explicit flush to disk is issued.  The
45              data parameter tells the audit damon to keep the data portion of
46              the  disk  file  sync'd  at all times. The sync option tells the
47              audit daemon to keep both the data and  meta-data  fully  sync'd
48              with every write to disk.
49
50       freq   This  is  a  non-negative  number that tells the audit damon how
51              many records to write before issuing an explicit flush  to  disk
52              command.  this value is only valid when the flush keyword is set
53              to incremental.
54
55       num_logs
56              This keyword specifies the number of log files to keep if rotate
57              is given as the max_log_file_action.  If the number is < 2, logs
58              are not rotated. This number must be 99 or less.  The default is
59              0  -  which means no rotation. As you increase the number of log
60              files being rotated, you may need to adjust the  kernel  backlog
61              setting  upwards  since  it takes more time to rotate the files.
62              This is typically done in /etc/audit/audit.rules.
63
64       dispatcher
65              The dispatcher is a program that is started by the audit  daemon
66              when  it  starts  up. It will pass a copy of all audit events to
67              that application's stdin. Make sure you  trust  the  application
68              that you add to this line since it runs with root privileges.
69
70       disp_qos
71              This  option controls whether you want blocking/lossless or non-
72              blocking/lossy communication between the audit  daemon  and  the
73              dispatcher.  There is a 128k buffer between the audit daemon and
74              dispatcher. This is good enogh for most uses. If lossy  is  cho‐
75              sen,  incoming events going to the dispatcher are discarded when
76              this queue is  full.  (Events  are  still  written  to  disk  if
77              log_format  is not nolog.) Otherwise the auditd daemon will wait
78              for the queue to have an empty spot before logging to disk.  The
79              risk  is  that  while  the  daemon is waiting for network IO, an
80              event is not being recorded to disk. Valid values are: lossy and
81              lossless. Lossy is the default value.
82
83       max_log_file
84              This  keyword specifies the maximum file size in megabytes. When
85              this limit is reached, it will trigger  a  configurable  action.
86              The value given must be numeric.
87
88       max_log_file_action
89              This  parameter  tells  the  system what action to take when the
90              system has detected that  the  max  file  size  limit  has  been
91              reached.  Valid  values  are ignore, syslog, suspend, rotate and
92              keep_logs.  If set to ignore, the  audit  daemon  does  nothing.
93              syslog  means  that  it will issue a warning to syslog.  suspend
94              will cause the audit daemon to stop writing records to the disk.
95              The daemon will still be alive. The rotate option will cause the
96              audit daemon to rotate the logs. It should be  noted  that  logs
97              with higher numbers are older than logs with lower numbers. This
98              is the same  convention  used  by  the  logrotate  utility.  The
99              keep_logs option is similar to rotate except it does not use the
100              num_logs setting. This prevents audit logs from being  overwrit‐
101              ten.
102
103       action_mail_acct
104              This  option  should contain a valid email address or alias. The
105              default address is root. If the email address is  not  local  to
106              the  machine, you must make sure you have email properly config‐
107              ured on your machine and network.  Also,  this  option  requires
108              that /usr/lib/sendmail exists on the machine.
109
110       space_left
111              This is a numeric value in megabytes that tells the audit daemon
112              when to perform a configurable  action  because  the  system  is
113              starting to run low on disk space.
114
115       space_left_action
116              This  parameter  tells  the  system what action to take when the
117              system has detected that it is  starting  to  get  low  on  disk
118              space.   Valid  values are ignore, syslog, email, exec, suspend,
119              single, and halt.  If set to ignore, the audit daemon does noth‐
120              ing.   syslog  means  that  it  will  issue a warning to syslog.
121              Email means that it will send a warning  to  the  email  account
122              specified  in action_mail_acct as well as sending the message to
123              syslog.  exec /path-to-script will execute the script. You  can‐
124              not pass parameters to the script.  suspend will cause the audit
125              daemon to stop writing records to  the  disk.  The  daemon  will
126              still be alive. The single option will cause the audit daemon to
127              put the computer system in single user mode.  halt  option  will
128              cause the audit daemon to shutdown the computer system.
129
130       admin_space_left
131              This is a numeric value in megabytes that tells the audit daemon
132              when to perform a configurable action because the system is run‐
133              ning  low  on  disk  space.  This  should be considered the last
134              chance to do something before running out  of  disk  space.  The
135              numeric value for this parameter should be lower than the number
136              for space_left.
137
138       admin_space_left_action
139              This parameter tells the system what action  to  take  when  the
140              system  has detected that it is low on disk space.  Valid values
141              are ignore, syslog, email, exec, suspend, single, and halt.   If
142              set to ignore, the audit daemon does nothing.  Syslog means that
143              it will issue a warning to syslog.  Email  means  that  it  will
144              send   a   warning   to   the   email   account   specified   in
145              action_mail_acct as well as sending the message to syslog.  exec
146              /path-to-script will execute the script. You cannot pass parame‐
147              ters to the script.  Suspend will cause the audit daemon to stop
148              writing records to the disk. The daemon will still be alive. The
149              single option will cause the audit daemon to  put  the  computer
150              system in single user mode.  halt
151
152       disk_full_action
153              This  parameter  tells  the  system what action to take when the
154              system has detected that the partition to which  log  files  are
155              written  has become full. Valid values are ignore, syslog, exec,
156              suspend, single, and halt.  If set to ignore, the  audit  daemon
157              does nothing.  Syslog means that it will issue a warning to sys‐
158              log.  exec /path-to-script will execute the script.  You  cannot
159              pass  parameters  to  the  script.  Suspend will cause the audit
160              daemon to stop writing records to  the  disk.  The  daemon  will
161              still be alive. The single option will cause the audit daemon to
162              put the computer system in single user mode.  halt  option  will
163              cause the audit daemon to shutdown the computer system.
164
165       disk_error_action
166              This  parameter  tells  the  system what action to take whenever
167              there is an error detected when writing audit events to disk  or
168              rotating  logs.  Valid values are ignore, syslog, exec, suspend,
169              single, and halt.  If set to ignore, the audit daemon does noth‐
170              ing.  Syslog means that it will issue a warning to syslog.  exec
171              /path-to-script will execute the script. You cannot pass parame‐
172              ters to the script.  Suspend will cause the audit daemon to stop
173              writing records to the disk. The daemon will still be alive. The
174              single  option  will  cause the audit daemon to put the computer
175              system in single user mode.  halt option will  cause  the  audit
176              daemon to shutdown the computer system.
177
178

NOTES

180       In  a CAPP environment, the audit trail is considered so important that
181       access to system resources must be denied if an audit trail  cannot  be
182       created. In this environment, it would be suggested that /var/log/audit
183       be on its own partition. This is to  ensure  that  space  detection  is
184       accurate and that no other process comes along and consumes part of it.
185
186       The flush parameter should be set to sync or data.
187
188       Max_log_file  and num_logs need to be adjusted so that you get complete
189       use of your partition. It should be noted that the more files that have
190       to  be  rotated,  the  longer  it  takes to get back to receiving audit
191       events. Max_log_file_action should be set to keep_logs.
192
193       Space_left should be set to a number that gives the admin  enough  time
194       to  react  to any alert message and perform some maintenance to free up
195       disk space. This would typically involve running the aureport -t report
196       and  moving the oldest logs to an archive area. The value of space_left
197       is site dependant since the rate at which events are  generated  varies
198       with each deployment. The space_left_action is recommended to be set to
199       email. If you need something like an snmp trap, you can  use  the  exec
200       option to send one.
201
202       Admin_space_left should be set to the amount of disk space on the audit
203       partition    needed    for    admin    actions    to    be    recorded.
204       Admin_space_left_action  would  be  set  to  single  so that use of the
205       machine is restricted to just the console.
206
207       The disk_full_action is triggered when no more room exists on the  par‐
208       tition.  All access should be terminated since no more audit capability
209       exists. This can be set to either single or halt.
210
211       The disk_error_action should be set to syslog, single, or halt  depend‐
212       ing on your local policies regarding handling of hardware malfunctions.
213
214

FILES

216       /etc/audit/auditd.conf
217              Audit daemon configuration file
218
219

SEE ALSO

221       auditd(8).
222
223

AUTHOR

225       Steve Grubb
226
227
228
229Red Hat                            Aug 2007                    AUDITD.CONF:(5)
Impressum