1aa772005SRobert Watson.\" Copyright (c) 2012 The FreeBSD Foundation 2aa772005SRobert Watson.\" All rights reserved. 3aa772005SRobert Watson.\" 4aa772005SRobert Watson.\" This documentation was written by Pawel Jakub Dawidek under sponsorship 5aa772005SRobert Watson.\" from the FreeBSD Foundation. 6aa772005SRobert Watson.\" 7aa772005SRobert Watson.\" Redistribution and use in source and binary forms, with or without 8aa772005SRobert Watson.\" modification, are permitted provided that the following conditions 9aa772005SRobert Watson.\" are met: 10aa772005SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 11aa772005SRobert Watson.\" notice, this list of conditions and the following disclaimer. 12aa772005SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 13aa772005SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 14aa772005SRobert Watson.\" documentation and/or other materials provided with the distribution. 15aa772005SRobert Watson.\" 16aa772005SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 17aa772005SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18aa772005SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19aa772005SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 20aa772005SRobert Watson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21aa772005SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22aa772005SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23aa772005SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24aa772005SRobert Watson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25aa772005SRobert Watson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26aa772005SRobert Watson.\" SUCH DAMAGE. 27aa772005SRobert Watson.\" 28aa772005SRobert Watson.\" $FreeBSD$ 29aa772005SRobert Watson.\" 30*b6a05070SChristian Brueffer.Dd July 1, 2015 31aa772005SRobert Watson.Dt AUDITDISTD.CONF 5 32aa772005SRobert Watson.Os 33aa772005SRobert Watson.Sh NAME 34aa772005SRobert Watson.Nm auditdistd.conf 35aa772005SRobert Watson.Nd configuration file for the 36aa772005SRobert Watson.Xr auditdistd 8 37aa772005SRobert Watsondaemon. 38aa772005SRobert Watson.Sh DESCRIPTION 39aa772005SRobert WatsonNote: the configuration file may contain passwords. 40*b6a05070SChristian BruefferCare should be taken to configure proper permissions for this file 41*b6a05070SChristian Brueffer.Li ( e.g., 0600 ) . 42aa772005SRobert Watson.Pp 43*b6a05070SChristian BruefferEvery line starting with 44*b6a05070SChristian Brueffer.Li # 45*b6a05070SChristian Brueffergets treated as a comment and is ignored. 46aa772005SRobert Watson.Sh CONFIGURATION FILE SYNTAX 47*b6a05070SChristian BruefferThe general syntax of the 48aa772005SRobert Watson.Nm 49*b6a05070SChristian Bruefferfile is as follows: 50*b6a05070SChristian Brueffer.Bd -literal 51aa772005SRobert Watson## Global section. 52aa772005SRobert Watson 53aa772005SRobert Watson# Our name. 54*b6a05070SChristian Brueffer# The default is the first part of the hostname. 55aa772005SRobert Watsonname "<name>" 56aa772005SRobert Watson 57aa772005SRobert Watson# Connection timeout. 58aa772005SRobert Watson# The default is 5. 59aa772005SRobert Watsontimeout <seconds> 60aa772005SRobert Watson 61aa772005SRobert Watson# Path to pidfile. 62aa772005SRobert Watson# The default is "/var/run/auditdistd.pid". 63aa772005SRobert Watsonpidfile "<path>" 64aa772005SRobert Watson 65aa772005SRobert Watsonsender { 66aa772005SRobert Watson ## Sender section. 67aa772005SRobert Watson 68aa772005SRobert Watson # Source address for connections. 69aa772005SRobert Watson # Optional. 70aa772005SRobert Watson source "<addr>" 71aa772005SRobert Watson 72aa772005SRobert Watson # Directory with audit trail files managed by auditdistd. 73aa772005SRobert Watson # The default is /var/audit/dist. 74aa772005SRobert Watson directory "<dir>" 75aa772005SRobert Watson.\" 76*b6a05070SChristian Brueffer.\" # Checksum algorithm for data sent over the wire. 77aa772005SRobert Watson.\" # The default is none. 78aa772005SRobert Watson.\" checksum "<algorithm>" 79aa772005SRobert Watson.\" 80*b6a05070SChristian Brueffer.\" # Compression algorithm for data sent over the wire. 81aa772005SRobert Watson.\" # The default is none. 82aa772005SRobert Watson.\" compression "<algorithm>" 83aa772005SRobert Watson 84aa772005SRobert Watson # Configuration for the target system we want to send audit trail 85aa772005SRobert Watson # files to. 86aa772005SRobert Watson host "<name>" { 87aa772005SRobert Watson # Source address for connections. 88aa772005SRobert Watson # Optional. 89aa772005SRobert Watson source "<addr>" 90aa772005SRobert Watson 91*b6a05070SChristian Brueffer # Address of the auditdistd receiver. 92aa772005SRobert Watson # No default. Obligatory. 93aa772005SRobert Watson remote "<addr>" 94aa772005SRobert Watson 95aa772005SRobert Watson # Directory with audit trail files managed by auditdistd. 96aa772005SRobert Watson # The default is /var/audit/dist. 97aa772005SRobert Watson directory "<dir>" 98aa772005SRobert Watson 99aa772005SRobert Watson # Fingerprint of the receiver's public key when using TLS 100*b6a05070SChristian Brueffer # for connections. 101aa772005SRobert Watson # Example fingerprint: 102aa772005SRobert Watson # SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30:14:D7:F9:AA:8B:3E:73:CD:F5:76:2B 103aa772005SRobert Watson fingerprint "<algorithm=hash>" 104aa772005SRobert Watson 105aa772005SRobert Watson # Password used to authenticate in front of the receiver. 106aa772005SRobert Watson password "<password>" 107aa772005SRobert Watson.\" 108*b6a05070SChristian Brueffer.\" # Checksum algorithm for data sent over the wire. 109aa772005SRobert Watson.\" # The default is none. 110aa772005SRobert Watson.\" checksum "<algorithm>" 111aa772005SRobert Watson.\" 112*b6a05070SChristian Brueffer.\" # Compression algorithm for data sent over the wire. 113aa772005SRobert Watson.\" # The default is none. 114aa772005SRobert Watson.\" compression "<algorithm>" 115aa772005SRobert Watson } 116aa772005SRobert Watson 117*b6a05070SChristian Brueffer # Currently local audit trail files can be sent only to one remote 118aa772005SRobert Watson # auditdistd receiver, but this can change in the future. 119aa772005SRobert Watson} 120aa772005SRobert Watson 121aa772005SRobert Watsonreceiver { 122aa772005SRobert Watson ## Receiver section. 123aa772005SRobert Watson 124*b6a05070SChristian Brueffer # Address to listen on. Multiple listen addresses may be specified. 125aa772005SRobert Watson # The defaults are "tcp4://0.0.0.0:7878" and "tcp6://[::]:7878". 126aa772005SRobert Watson listen "<addr>" 127aa772005SRobert Watson 128aa772005SRobert Watson # Base directory. 129*b6a05070SChristian Brueffer # If the directory in the host section is not absolute, it will be 130*b6a05070SChristian Brueffer # concatenated with this base directory. 131aa772005SRobert Watson # The default is "/var/audit/remote". 132aa772005SRobert Watson directory "<basedir>" 133aa772005SRobert Watson 134*b6a05070SChristian Brueffer # Path to the receiver's certificate file. 135aa772005SRobert Watson # The default is "/etc/security/auditdistd.cert.pem". 136aa772005SRobert Watson certfile "<path>" 137aa772005SRobert Watson 138*b6a05070SChristian Brueffer # Path to the receiver's private key file. 139aa772005SRobert Watson # The default is "/etc/security/auditdistd.key.pem". 140aa772005SRobert Watson keyfile "<path>" 141aa772005SRobert Watson 142aa772005SRobert Watson # Configuration for a source system we want to receive audit trail 143aa772005SRobert Watson # files from. 144aa772005SRobert Watson host "<name>" { 145aa772005SRobert Watson # Sender address. 146aa772005SRobert Watson # No default. Obligatory. 147aa772005SRobert Watson remote "<addr>" 148aa772005SRobert Watson 149aa772005SRobert Watson # Directory where to store audit trail files received 150aa772005SRobert Watson # from system <name>. 151aa772005SRobert Watson # The default is "<basedir>/<name>". 152aa772005SRobert Watson directory "<dir>" 153aa772005SRobert Watson 154aa772005SRobert Watson # Password used by the sender to authenticate. 155aa772005SRobert Watson password "<password>" 156aa772005SRobert Watson } 157aa772005SRobert Watson 158aa772005SRobert Watson # Multiple hosts to receive from can be configured. 159aa772005SRobert Watson} 160aa772005SRobert Watson.Ed 161aa772005SRobert Watson.Pp 162aa772005SRobert WatsonMost of the various available configuration parameters are optional. 163*b6a05070SChristian BruefferIf a parameter is not defined in the particular section, it will be 164aa772005SRobert Watsoninherited from the parent section if possible. 165aa772005SRobert WatsonFor example, if the 166aa772005SRobert Watson.Ic source 167aa772005SRobert Watsonparameter is not defined in the 168aa772005SRobert Watson.Ic host 169aa772005SRobert Watsonsection, it will be inherited from the 170aa772005SRobert Watson.Ic sender 171aa772005SRobert Watsonsection. 172aa772005SRobert WatsonIn case the 173aa772005SRobert Watson.Ic global 174aa772005SRobert Watsonsection does not define the 175aa772005SRobert Watson.Ic source 176aa772005SRobert Watsonparameter at all, the default value will be used. 177*b6a05070SChristian Brueffer.Sh CONFIGURATION OPTION DESCRIPTION 178aa772005SRobert WatsonThe following statements are available: 179aa772005SRobert Watson.Bl -tag -width ".Ic xxxx" 180aa772005SRobert Watson.It Ic name Aq name 181aa772005SRobert Watson.Pp 182aa772005SRobert WatsonThis host's name. 183*b6a05070SChristian BruefferIt is sent to the receiver, so it can properly recognize us if there are 184*b6a05070SChristian Brueffermultiple senders coming from the same IP address. 185aa772005SRobert Watson.It Ic timeout Aq seconds 186aa772005SRobert Watson.Pp 187aa772005SRobert WatsonConnection timeout in seconds. 188aa772005SRobert WatsonThe default value is 189aa772005SRobert Watson.Va 5 . 190aa772005SRobert Watson.It Ic pidfile Aq path 191aa772005SRobert Watson.Pp 192aa772005SRobert WatsonFile in which to store the process ID of the main 193aa772005SRobert Watson.Xr auditdistd 8 194aa772005SRobert Watsonprocess. 195aa772005SRobert Watson.Pp 196aa772005SRobert WatsonThe default value is 197aa772005SRobert Watson.Pa /var/run/auditdistd.pid . 198aa772005SRobert Watson.It Ic source Aq addr 199aa772005SRobert Watson.Pp 200aa772005SRobert WatsonLocal address to bind to before connecting to the remote 201aa772005SRobert Watson.Nm auditdistd 202aa772005SRobert Watsondaemon. 203*b6a05070SChristian BruefferThe format is the same as for the 204aa772005SRobert Watson.Ic listen 205aa772005SRobert Watsonstatement. 206aa772005SRobert Watson.It Ic directory Aq path 207aa772005SRobert Watson.Pp 208*b6a05070SChristian BruefferThe directory where to look for audit trail files in case of sender mode, or 209*b6a05070SChristian Bruefferthe directory where to store received audit trail files. 210aa772005SRobert WatsonThe provided path has to be an absolute path. 211*b6a05070SChristian BruefferThe only exception is when the directory is provided in the 212aa772005SRobert Watson.Ic receiver 213*b6a05070SChristian Brueffersection; then the path provided in the 214aa772005SRobert Watson.Ic host 215aa772005SRobert Watsonsubsections can be relative to the directory in the 216aa772005SRobert Watson.Ic receiver 217aa772005SRobert Watsonsection. 218aa772005SRobert WatsonThe default value is 219aa772005SRobert Watson.Pa /var/audit/dist 220aa772005SRobert Watsonfor the entire 221aa772005SRobert Watson.Ic sender 222aa772005SRobert Watsonsection, 223aa772005SRobert Watson.Pa /var/audit/remote 224aa772005SRobert Watsonfor the non-host 225aa772005SRobert Watson.Ic receiver 226aa772005SRobert Watsonsection and 227aa772005SRobert Watson.Pa /var/audit/remote/<name> 228aa772005SRobert Watsonfor the 229aa772005SRobert Watson.Ic host 230aa772005SRobert Watsonsubsections in the 231aa772005SRobert Watson.Ic receiver 232aa772005SRobert Watsonsection where 233aa772005SRobert Watson.Aq name 234*b6a05070SChristian Bruefferis the host's name. 235aa772005SRobert Watson.\".It Ic checksum Aq algorithm 236aa772005SRobert Watson.\".Pp 237aa772005SRobert Watson.\"Checksum algorithm should be one of the following: 238aa772005SRobert Watson.\".Bl -tag -width ".Ic sha256" 239aa772005SRobert Watson.\".It Ic none 240*b6a05070SChristian Brueffer.\"No checksum will be calculated for the data being sent over the network. 241aa772005SRobert Watson.\"This is the default setting. 242aa772005SRobert Watson.\".It Ic crc32 243aa772005SRobert Watson.\"CRC32 checksum will be calculated. 244aa772005SRobert Watson.\".It Ic sha256 245aa772005SRobert Watson.\"SHA256 checksum will be calculated. 246aa772005SRobert Watson.\".El 247aa772005SRobert Watson.\".It Ic compression Aq algorithm 248aa772005SRobert Watson.\".Pp 249aa772005SRobert Watson.\"Compression algorithm should be one of the following: 250aa772005SRobert Watson.\".Bl -tag -width ".Ic none" 251aa772005SRobert Watson.\".It Ic none 252*b6a05070SChristian Brueffer.\"Data sent over the network will not be compressed. 253aa772005SRobert Watson.\"This is the default setting. 254aa772005SRobert Watson.\".It Ic lzf 255aa772005SRobert Watson.\"The 256aa772005SRobert Watson.\".Nm LZF 257aa772005SRobert Watson.\"algorithm by 258aa772005SRobert Watson.\".An Marc Alexander Lehmann 259*b6a05070SChristian Brueffer.\"will be used to compress the data sent over the network. 260aa772005SRobert Watson.\".Nm LZF 261*b6a05070SChristian Brueffer.\"is a very fast, general purpose compression algorithm. 262aa772005SRobert Watson.\".El 263aa772005SRobert Watson.It Ic remote Aq addr 264aa772005SRobert Watson.Pp 265aa772005SRobert WatsonAddress of the remote 266aa772005SRobert Watson.Nm auditdistd 267aa772005SRobert Watsondaemon. 268*b6a05070SChristian BruefferThe format is the same as for the 269aa772005SRobert Watson.Ic listen 270aa772005SRobert Watsonstatement. 271*b6a05070SChristian BruefferWhen operating in 272aa772005SRobert Watson.Ic sender 273aa772005SRobert Watsonmode this address will be used to connect to the 274aa772005SRobert Watson.Ic receiver . 275*b6a05070SChristian BruefferWhen operating in 276aa772005SRobert Watson.Ic receiver 277aa772005SRobert Watsonmode only connections from this address will be accepted. 278aa772005SRobert Watson.It Ic listen Aq addr 279aa772005SRobert Watson.Pp 280aa772005SRobert WatsonAddress to listen on in form of: 281aa772005SRobert Watson.Bd -literal -offset indent 282aa772005SRobert Watsonprotocol://protocol-specific-address 283aa772005SRobert Watson.Ed 284aa772005SRobert Watson.Pp 285aa772005SRobert WatsonEach of the following examples defines the same listen address: 286aa772005SRobert Watson.Bd -literal -offset indent 287aa772005SRobert Watson0.0.0.0 288aa772005SRobert Watson0.0.0.0:7878 289aa772005SRobert Watsontcp://0.0.0.0 290aa772005SRobert Watsontcp://0.0.0.0:7878 291aa772005SRobert Watsontcp4://0.0.0.0 292aa772005SRobert Watsontcp4://0.0.0.0:7878 293aa772005SRobert Watson.Ed 294aa772005SRobert Watson.Pp 295aa772005SRobert WatsonMultiple listen addresses can be specified. 296aa772005SRobert WatsonBy default 297aa772005SRobert Watson.Nm auditdistd 298aa772005SRobert Watsonlistens on 299aa772005SRobert Watson.Pa tcp4://0.0.0.0:7878 300aa772005SRobert Watsonand 301*b6a05070SChristian Brueffer.Pa tcp6://[::]:7878 , 302*b6a05070SChristian Bruefferif the kernel supports IPv4 and IPv6 respectively. 303aa772005SRobert Watson.It Ic keyfile Aq path 304aa772005SRobert Watson.Pp 305*b6a05070SChristian BruefferPath to a file that contains the private key for TLS communication. 306aa772005SRobert Watson.It Ic certfile Aq path 307aa772005SRobert Watson.Pp 308*b6a05070SChristian BruefferPath to a file that contains the certificate for TLS communication. 309aa772005SRobert Watson.It Ic fingerprint Aq algo=hash 310aa772005SRobert Watson.Pp 311aa772005SRobert WatsonFingerprint of the receiver's public key. 312*b6a05070SChristian BruefferCurrently only the SHA256 algorithm is supported. 313*b6a05070SChristian BruefferThe certificate public key's fingerprint ready to be pasted into the 314*b6a05070SChristian Brueffer.Nm auditdistd 315aa772005SRobert Watsonconfiguration file can be obtained by running: 316*b6a05070SChristian Brueffer.Bd -literal 317aa772005SRobert Watson# openssl x509 -in /etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 | awk -F '[ =]' '{printf("%s=%s\\n", $1, $3)}' 318aa772005SRobert Watson.Ed 319aa772005SRobert Watson.It Ic password Aq password 320aa772005SRobert Watson.Pp 321aa772005SRobert WatsonPassword used to authenticate the sender in front of the receiver. 322aa772005SRobert Watson.El 323aa772005SRobert Watson.Sh FILES 324aa772005SRobert Watson.Bl -tag -width ".Pa /etc/security/auditdistd.conf" -compact 325aa772005SRobert Watson.It Pa /etc/security/auditdistd.conf 326aa772005SRobert WatsonThe default 327aa772005SRobert Watson.Nm auditdistd 328aa772005SRobert Watsonconfiguration file. 329aa772005SRobert Watson.El 330aa772005SRobert Watson.Sh EXAMPLES 331aa772005SRobert WatsonThe example configuration files can look as follows. 332aa772005SRobert Watson.Pp 333aa772005SRobert WatsonWeb server: 334aa772005SRobert Watson.Bd -literal -offset indent 335aa772005SRobert Watsonsender { 336aa772005SRobert Watson host backup { 337aa772005SRobert Watson remote 10.0.0.4 338aa772005SRobert Watson } 339aa772005SRobert Watson} 340aa772005SRobert Watson.Ed 341aa772005SRobert Watson.Pp 342aa772005SRobert WatsonAudit backup server: 343aa772005SRobert Watson.Bd -literal -offset indent 344aa772005SRobert Watsonreceiver { 345aa772005SRobert Watson host webserv { 346aa772005SRobert Watson remote 10.0.0.1 347aa772005SRobert Watson } 348aa772005SRobert Watson host mailserv { 349aa772005SRobert Watson remote 10.0.0.2 350aa772005SRobert Watson } 351aa772005SRobert Watson host dnsserv { 352aa772005SRobert Watson remote 10.0.0.3 353aa772005SRobert Watson } 354aa772005SRobert Watson} 355aa772005SRobert Watson.Ed 356aa772005SRobert Watson.Sh SEE ALSO 357aa772005SRobert Watson.Xr audit 4 , 358*b6a05070SChristian Brueffer.Xr auditdistd 8 359aa772005SRobert Watson.Sh AUTHORS 360aa772005SRobert WatsonThe 361f7d22997SRobert Watson.Nm auditdistd 362*b6a05070SChristian Bruefferdaemon was developed by 363aa772005SRobert Watson.An Pawel Jakub Dawidek Aq pawel@dawidek.net 364aa772005SRobert Watsonunder sponsorship of the FreeBSD Foundation. 365