1*aa772005SRobert Watson.\" Copyright (c) 2012 The FreeBSD Foundation 2*aa772005SRobert Watson.\" All rights reserved. 3*aa772005SRobert Watson.\" 4*aa772005SRobert Watson.\" This documentation was written by Pawel Jakub Dawidek under sponsorship 5*aa772005SRobert Watson.\" from the FreeBSD Foundation. 6*aa772005SRobert Watson.\" 7*aa772005SRobert Watson.\" Redistribution and use in source and binary forms, with or without 8*aa772005SRobert Watson.\" modification, are permitted provided that the following conditions 9*aa772005SRobert Watson.\" are met: 10*aa772005SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 11*aa772005SRobert Watson.\" notice, this list of conditions and the following disclaimer. 12*aa772005SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 13*aa772005SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 14*aa772005SRobert Watson.\" documentation and/or other materials provided with the distribution. 15*aa772005SRobert Watson.\" 16*aa772005SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 17*aa772005SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18*aa772005SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19*aa772005SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 20*aa772005SRobert Watson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21*aa772005SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22*aa772005SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23*aa772005SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24*aa772005SRobert Watson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25*aa772005SRobert Watson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26*aa772005SRobert Watson.\" SUCH DAMAGE. 27*aa772005SRobert Watson.\" 28*aa772005SRobert Watson.\" $FreeBSD$ 29*aa772005SRobert Watson.\" 30*aa772005SRobert Watson.Dd March 22, 2011 31*aa772005SRobert Watson.Dt AUDITDISTD.CONF 5 32*aa772005SRobert Watson.Os 33*aa772005SRobert Watson.Sh NAME 34*aa772005SRobert Watson.Nm auditdistd.conf 35*aa772005SRobert Watson.Nd configuration file for the 36*aa772005SRobert Watson.Xr auditdistd 8 37*aa772005SRobert Watsondaemon. 38*aa772005SRobert Watson.Sh DESCRIPTION 39*aa772005SRobert WatsonNote: the configuration file may contain passwords. 40*aa772005SRobert WatsonCare should be taken to configure proper permissions on this file 41*aa772005SRobert Watson.Li ( eg. 0600 ) . 42*aa772005SRobert Watson.Pp 43*aa772005SRobert WatsonEvery line starting with # is treated as comment and ignored. 44*aa772005SRobert Watson.Sh CONFIGURATION FILE SYNTAX 45*aa772005SRobert WatsonGeneral syntax of the 46*aa772005SRobert Watson.Nm 47*aa772005SRobert Watsonfile is following: 48*aa772005SRobert Watson.Bd -literal -offset 49*aa772005SRobert Watson## Global section. 50*aa772005SRobert Watson 51*aa772005SRobert Watson# Our name. 52*aa772005SRobert Watson# The default is first part of the hostname. 53*aa772005SRobert Watsonname "<name>" 54*aa772005SRobert Watson 55*aa772005SRobert Watson# Connection timeout. 56*aa772005SRobert Watson# The default is 5. 57*aa772005SRobert Watsontimeout <seconds> 58*aa772005SRobert Watson 59*aa772005SRobert Watson# Path to pidfile. 60*aa772005SRobert Watson# The default is "/var/run/auditdistd.pid". 61*aa772005SRobert Watsonpidfile "<path>" 62*aa772005SRobert Watson 63*aa772005SRobert Watsonsender { 64*aa772005SRobert Watson ## Sender section. 65*aa772005SRobert Watson 66*aa772005SRobert Watson # Source address for connections. 67*aa772005SRobert Watson # Optional. 68*aa772005SRobert Watson source "<addr>" 69*aa772005SRobert Watson 70*aa772005SRobert Watson # Directory with audit trail files managed by auditdistd. 71*aa772005SRobert Watson # The default is /var/audit/dist. 72*aa772005SRobert Watson directory "<dir>" 73*aa772005SRobert Watson.\" 74*aa772005SRobert Watson.\" # Checksum algorithm for data send over the wire. 75*aa772005SRobert Watson.\" # The default is none. 76*aa772005SRobert Watson.\" checksum "<algorithm>" 77*aa772005SRobert Watson.\" 78*aa772005SRobert Watson.\" # Compression algorithm for data send over the wire. 79*aa772005SRobert Watson.\" # The default is none. 80*aa772005SRobert Watson.\" compression "<algorithm>" 81*aa772005SRobert Watson 82*aa772005SRobert Watson # Configuration for the target system we want to send audit trail 83*aa772005SRobert Watson # files to. 84*aa772005SRobert Watson host "<name>" { 85*aa772005SRobert Watson # Source address for connections. 86*aa772005SRobert Watson # Optional. 87*aa772005SRobert Watson source "<addr>" 88*aa772005SRobert Watson 89*aa772005SRobert Watson # Address of auditdistd receiver. 90*aa772005SRobert Watson # No default. Obligatory. 91*aa772005SRobert Watson remote "<addr>" 92*aa772005SRobert Watson 93*aa772005SRobert Watson # Directory with audit trail files managed by auditdistd. 94*aa772005SRobert Watson # The default is /var/audit/dist. 95*aa772005SRobert Watson directory "<dir>" 96*aa772005SRobert Watson 97*aa772005SRobert Watson # Fingerprint of the receiver's public key when using TLS 98*aa772005SRobert Watson # for connection. 99*aa772005SRobert Watson # Example fingerprint: 100*aa772005SRobert Watson # SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30:14:D7:F9:AA:8B:3E:73:CD:F5:76:2B 101*aa772005SRobert Watson fingerprint "<algorithm=hash>" 102*aa772005SRobert Watson 103*aa772005SRobert Watson # Password used to authenticate in front of the receiver. 104*aa772005SRobert Watson password "<password>" 105*aa772005SRobert Watson.\" 106*aa772005SRobert Watson.\" # Checksum algorithm for data send over the wire. 107*aa772005SRobert Watson.\" # The default is none. 108*aa772005SRobert Watson.\" checksum "<algorithm>" 109*aa772005SRobert Watson.\" 110*aa772005SRobert Watson.\" # Compression algorithm for data send over the wire. 111*aa772005SRobert Watson.\" # The default is none. 112*aa772005SRobert Watson.\" compression "<algorithm>" 113*aa772005SRobert Watson } 114*aa772005SRobert Watson 115*aa772005SRobert Watson # Currently local audit trail files can be send only to one remote 116*aa772005SRobert Watson # auditdistd receiver, but this can change in the future. 117*aa772005SRobert Watson} 118*aa772005SRobert Watson 119*aa772005SRobert Watsonreceiver { 120*aa772005SRobert Watson ## Receiver section. 121*aa772005SRobert Watson 122*aa772005SRobert Watson # Address to listen on. Multiple listen addresses might be specified. 123*aa772005SRobert Watson # The defaults are "tcp4://0.0.0.0:7878" and "tcp6://[::]:7878". 124*aa772005SRobert Watson listen "<addr>" 125*aa772005SRobert Watson 126*aa772005SRobert Watson # Base directory. 127*aa772005SRobert Watson # If directory in host section is no absolute, it will be concatenated 128*aa772005SRobert Watson # with this base directory. 129*aa772005SRobert Watson # The default is "/var/audit/remote". 130*aa772005SRobert Watson directory "<basedir>" 131*aa772005SRobert Watson 132*aa772005SRobert Watson # Path to receiver's certificate file. 133*aa772005SRobert Watson # The default is "/etc/security/auditdistd.cert.pem". 134*aa772005SRobert Watson certfile "<path>" 135*aa772005SRobert Watson 136*aa772005SRobert Watson # Path to receiver's private key file. 137*aa772005SRobert Watson # The default is "/etc/security/auditdistd.key.pem". 138*aa772005SRobert Watson keyfile "<path>" 139*aa772005SRobert Watson 140*aa772005SRobert Watson # Configuration for a source system we want to receive audit trail 141*aa772005SRobert Watson # files from. 142*aa772005SRobert Watson host "<name>" { 143*aa772005SRobert Watson # Sender address. 144*aa772005SRobert Watson # No default. Obligatory. 145*aa772005SRobert Watson remote "<addr>" 146*aa772005SRobert Watson 147*aa772005SRobert Watson # Directory where to store audit trail files received 148*aa772005SRobert Watson # from system <name>. 149*aa772005SRobert Watson # The default is "<basedir>/<name>". 150*aa772005SRobert Watson directory "<dir>" 151*aa772005SRobert Watson 152*aa772005SRobert Watson # Password used by the sender to authenticate. 153*aa772005SRobert Watson password "<password>" 154*aa772005SRobert Watson } 155*aa772005SRobert Watson 156*aa772005SRobert Watson # Multiple hosts to receive from can be configured. 157*aa772005SRobert Watson} 158*aa772005SRobert Watson.Ed 159*aa772005SRobert Watson.Pp 160*aa772005SRobert WatsonMost of the various available configuration parameters are optional. 161*aa772005SRobert WatsonIf parameter is not defined in the particular section, it will be 162*aa772005SRobert Watsoninherited from the parent section if possible. 163*aa772005SRobert WatsonFor example, if the 164*aa772005SRobert Watson.Ic source 165*aa772005SRobert Watsonparameter is not defined in the 166*aa772005SRobert Watson.Ic host 167*aa772005SRobert Watsonsection, it will be inherited from the 168*aa772005SRobert Watson.Ic sender 169*aa772005SRobert Watsonsection. 170*aa772005SRobert WatsonIn case the 171*aa772005SRobert Watson.Ic global 172*aa772005SRobert Watsonsection does not define the 173*aa772005SRobert Watson.Ic source 174*aa772005SRobert Watsonparameter at all, the default value will be used. 175*aa772005SRobert Watson.Sh CONFIGURATION FILE DESCRIPTION 176*aa772005SRobert WatsonThe following statements are available: 177*aa772005SRobert Watson.Bl -tag -width ".Ic xxxx" 178*aa772005SRobert Watson.It Ic name Aq name 179*aa772005SRobert Watson.Pp 180*aa772005SRobert WatsonThis host's name. 181*aa772005SRobert WatsonIt is send to the receiver, so it can properly recognize us if there are 182*aa772005SRobert Watsonmore than one sender coming from the same IP address. 183*aa772005SRobert Watson.It Ic timeout Aq seconds 184*aa772005SRobert Watson.Pp 185*aa772005SRobert WatsonConnection timeout in seconds. 186*aa772005SRobert WatsonThe default value is 187*aa772005SRobert Watson.Va 5 . 188*aa772005SRobert Watson.It Ic pidfile Aq path 189*aa772005SRobert Watson.Pp 190*aa772005SRobert WatsonFile in which to store the process ID of the main 191*aa772005SRobert Watson.Xr auditdistd 8 192*aa772005SRobert Watsonprocess. 193*aa772005SRobert Watson.Pp 194*aa772005SRobert WatsonThe default value is 195*aa772005SRobert Watson.Pa /var/run/auditdistd.pid . 196*aa772005SRobert Watson.It Ic source Aq addr 197*aa772005SRobert Watson.Pp 198*aa772005SRobert WatsonLocal address to bind to before connecting to the remote 199*aa772005SRobert Watson.Nm auditdistd 200*aa772005SRobert Watsondaemon. 201*aa772005SRobert WatsonFormat is the same as for the 202*aa772005SRobert Watson.Ic listen 203*aa772005SRobert Watsonstatement. 204*aa772005SRobert Watson.It Ic directory Aq path 205*aa772005SRobert Watson.Pp 206*aa772005SRobert WatsonDirectory where to look for audit trail files in case of sender mode or 207*aa772005SRobert Watsondirectory where to store received audit trail files. 208*aa772005SRobert WatsonThe provided path has to be an absolute path. 209*aa772005SRobert WatsonThe only exception is when directory is provided in the 210*aa772005SRobert Watson.Ic receiver 211*aa772005SRobert Watsonsection, then path provided in the 212*aa772005SRobert Watson.Ic host 213*aa772005SRobert Watsonsubsections can be relative to the directory in the 214*aa772005SRobert Watson.Ic receiver 215*aa772005SRobert Watsonsection. 216*aa772005SRobert WatsonThe default value is 217*aa772005SRobert Watson.Pa /var/audit/dist 218*aa772005SRobert Watsonfor the entire 219*aa772005SRobert Watson.Ic sender 220*aa772005SRobert Watsonsection, 221*aa772005SRobert Watson.Pa /var/audit/remote 222*aa772005SRobert Watsonfor the non-host 223*aa772005SRobert Watson.Ic receiver 224*aa772005SRobert Watsonsection and 225*aa772005SRobert Watson.Pa /var/audit/remote/<name> 226*aa772005SRobert Watsonfor the 227*aa772005SRobert Watson.Ic host 228*aa772005SRobert Watsonsubsections in the 229*aa772005SRobert Watson.Ic receiver 230*aa772005SRobert Watsonsection where 231*aa772005SRobert Watson.Aq name 232*aa772005SRobert Watsonis host's name. 233*aa772005SRobert Watson.\".It Ic checksum Aq algorithm 234*aa772005SRobert Watson.\".Pp 235*aa772005SRobert Watson.\"Checksum algorithm should be one of the following: 236*aa772005SRobert Watson.\".Bl -tag -width ".Ic sha256" 237*aa772005SRobert Watson.\".It Ic none 238*aa772005SRobert Watson.\"No checksum will be calculated for the data being send over the network. 239*aa772005SRobert Watson.\"This is the default setting. 240*aa772005SRobert Watson.\".It Ic crc32 241*aa772005SRobert Watson.\"CRC32 checksum will be calculated. 242*aa772005SRobert Watson.\".It Ic sha256 243*aa772005SRobert Watson.\"SHA256 checksum will be calculated. 244*aa772005SRobert Watson.\".El 245*aa772005SRobert Watson.\".It Ic compression Aq algorithm 246*aa772005SRobert Watson.\".Pp 247*aa772005SRobert Watson.\"Compression algorithm should be one of the following: 248*aa772005SRobert Watson.\".Bl -tag -width ".Ic none" 249*aa772005SRobert Watson.\".It Ic none 250*aa772005SRobert Watson.\"Data send over the network will not be compressed. 251*aa772005SRobert Watson.\"This is the default setting. 252*aa772005SRobert Watson.\".It Ic lzf 253*aa772005SRobert Watson.\"The 254*aa772005SRobert Watson.\".Nm LZF 255*aa772005SRobert Watson.\"algorithm by 256*aa772005SRobert Watson.\".An Marc Alexander Lehmann 257*aa772005SRobert Watson.\"will be used to compress the data send over the network. 258*aa772005SRobert Watson.\".Nm LZF 259*aa772005SRobert Watson.\"is very fast, general purpose compression algorithm. 260*aa772005SRobert Watson.\".El 261*aa772005SRobert Watson.It Ic remote Aq addr 262*aa772005SRobert Watson.Pp 263*aa772005SRobert WatsonAddress of the remote 264*aa772005SRobert Watson.Nm auditdistd 265*aa772005SRobert Watsondaemon. 266*aa772005SRobert WatsonFormat is the same as for the 267*aa772005SRobert Watson.Ic listen 268*aa772005SRobert Watsonstatement. 269*aa772005SRobert WatsonWhen operating in the 270*aa772005SRobert Watson.Ic sender 271*aa772005SRobert Watsonmode this address will be used to connect to the 272*aa772005SRobert Watson.Ic receiver . 273*aa772005SRobert WatsonWhen operating in the 274*aa772005SRobert Watson.Ic receiver 275*aa772005SRobert Watsonmode only connections from this address will be accepted. 276*aa772005SRobert Watson.It Ic listen Aq addr 277*aa772005SRobert Watson.Pp 278*aa772005SRobert WatsonAddress to listen on in form of: 279*aa772005SRobert Watson.Bd -literal -offset indent 280*aa772005SRobert Watsonprotocol://protocol-specific-address 281*aa772005SRobert Watson.Ed 282*aa772005SRobert Watson.Pp 283*aa772005SRobert WatsonEach of the following examples defines the same listen address: 284*aa772005SRobert Watson.Bd -literal -offset indent 285*aa772005SRobert Watson0.0.0.0 286*aa772005SRobert Watson0.0.0.0:7878 287*aa772005SRobert Watsontcp://0.0.0.0 288*aa772005SRobert Watsontcp://0.0.0.0:7878 289*aa772005SRobert Watsontcp4://0.0.0.0 290*aa772005SRobert Watsontcp4://0.0.0.0:7878 291*aa772005SRobert Watson.Ed 292*aa772005SRobert Watson.Pp 293*aa772005SRobert WatsonMultiple listen addresses can be specified. 294*aa772005SRobert WatsonBy default 295*aa772005SRobert Watson.Nm auditdistd 296*aa772005SRobert Watsonlistens on 297*aa772005SRobert Watson.Pa tcp4://0.0.0.0:7878 298*aa772005SRobert Watsonand 299*aa772005SRobert Watson.Pa tcp6://[::]:7878 300*aa772005SRobert Watsonif kernel supports IPv4 and IPv6 respectively. 301*aa772005SRobert Watson.It Ic keyfile Aq path 302*aa772005SRobert Watson.Pp 303*aa772005SRobert WatsonPath to a file that contains private key for TLS communication. 304*aa772005SRobert Watson.It Ic certfile Aq path 305*aa772005SRobert Watson.Pp 306*aa772005SRobert WatsonPath to a file that contains certificate for TLS communication. 307*aa772005SRobert Watson.It Ic fingerprint Aq algo=hash 308*aa772005SRobert Watson.Pp 309*aa772005SRobert WatsonFinger print of the receiver's public key. 310*aa772005SRobert WatsonCurrently only SHA256 algorithm is supported. 311*aa772005SRobert WatsonCertificate public key's fingerprint ready to be pasted into auditdistd 312*aa772005SRobert Watsonconfiguration file can be obtained by running: 313*aa772005SRobert Watson.Bd -literal -offset 314*aa772005SRobert Watson# openssl x509 -in /etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 | awk -F '[ =]' '{printf("%s=%s\\n", $1, $3)}' 315*aa772005SRobert Watson.Ed 316*aa772005SRobert Watson.It Ic password Aq password 317*aa772005SRobert Watson.Pp 318*aa772005SRobert WatsonPassword used to authenticate the sender in front of the receiver. 319*aa772005SRobert Watson.El 320*aa772005SRobert Watson.Sh FILES 321*aa772005SRobert Watson.Bl -tag -width ".Pa /etc/security/auditdistd.conf" -compact 322*aa772005SRobert Watson.It Pa /etc/security/auditdistd.conf 323*aa772005SRobert WatsonThe default 324*aa772005SRobert Watson.Nm auditdistd 325*aa772005SRobert Watsonconfiguration file. 326*aa772005SRobert Watson.El 327*aa772005SRobert Watson.Sh EXAMPLES 328*aa772005SRobert WatsonThe example configuration files can look as follows. 329*aa772005SRobert Watson.Pp 330*aa772005SRobert WatsonWeb server: 331*aa772005SRobert Watson.Bd -literal -offset indent 332*aa772005SRobert Watsonsender { 333*aa772005SRobert Watson host backup { 334*aa772005SRobert Watson remote 10.0.0.4 335*aa772005SRobert Watson } 336*aa772005SRobert Watson} 337*aa772005SRobert Watson.Ed 338*aa772005SRobert Watson.Pp 339*aa772005SRobert WatsonAudit backup server: 340*aa772005SRobert Watson.Bd -literal -offset indent 341*aa772005SRobert Watsonreceiver { 342*aa772005SRobert Watson host webserv { 343*aa772005SRobert Watson remote 10.0.0.1 344*aa772005SRobert Watson } 345*aa772005SRobert Watson host mailserv { 346*aa772005SRobert Watson remote 10.0.0.2 347*aa772005SRobert Watson } 348*aa772005SRobert Watson host dnsserv { 349*aa772005SRobert Watson remote 10.0.0.3 350*aa772005SRobert Watson } 351*aa772005SRobert Watson} 352*aa772005SRobert Watson.Ed 353*aa772005SRobert Watson.Sh SEE ALSO 354*aa772005SRobert Watson.Xr audit 4 , 355*aa772005SRobert Watson.Xr auditdistd 8 . 356*aa772005SRobert Watson.Sh AUTHORS 357*aa772005SRobert WatsonThe 358*aa772005SRobert Watson.Nm 359*aa772005SRobert Watsonwas written by 360*aa772005SRobert Watson.An Pawel Jakub Dawidek Aq pawel@dawidek.net 361*aa772005SRobert Watsonunder sponsorship of the FreeBSD Foundation. 362