1aa772005SRobert Watson.\" Copyright (c) 2012 The FreeBSD Foundation 2aa772005SRobert Watson.\" All rights reserved. 3aa772005SRobert Watson.\" 4aa772005SRobert Watson.\" This documentation was written by Pawel Jakub Dawidek under sponsorship 5aa772005SRobert Watson.\" from the FreeBSD Foundation. 6aa772005SRobert Watson.\" 7aa772005SRobert Watson.\" Redistribution and use in source and binary forms, with or without 8aa772005SRobert Watson.\" modification, are permitted provided that the following conditions 9aa772005SRobert Watson.\" are met: 10aa772005SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 11aa772005SRobert Watson.\" notice, this list of conditions and the following disclaimer. 12aa772005SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 13aa772005SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 14aa772005SRobert Watson.\" documentation and/or other materials provided with the distribution. 15aa772005SRobert Watson.\" 16aa772005SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 17aa772005SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18aa772005SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19aa772005SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 20aa772005SRobert Watson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21aa772005SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22aa772005SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23aa772005SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24aa772005SRobert Watson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25aa772005SRobert Watson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26aa772005SRobert Watson.\" SUCH DAMAGE. 27aa772005SRobert Watson.\" 28aa772005SRobert Watson.\" $FreeBSD$ 29aa772005SRobert Watson.\" 30aa772005SRobert Watson.Dd March 22, 2011 31aa772005SRobert Watson.Dt AUDITDISTD.CONF 5 32aa772005SRobert Watson.Os 33aa772005SRobert Watson.Sh NAME 34aa772005SRobert Watson.Nm auditdistd.conf 35aa772005SRobert Watson.Nd configuration file for the 36aa772005SRobert Watson.Xr auditdistd 8 37aa772005SRobert Watsondaemon. 38aa772005SRobert Watson.Sh DESCRIPTION 39aa772005SRobert WatsonNote: the configuration file may contain passwords. 40aa772005SRobert WatsonCare should be taken to configure proper permissions on this file 41aa772005SRobert Watson.Li ( eg. 0600 ) . 42aa772005SRobert Watson.Pp 43aa772005SRobert WatsonEvery line starting with # is treated as comment and ignored. 44aa772005SRobert Watson.Sh CONFIGURATION FILE SYNTAX 45aa772005SRobert WatsonGeneral syntax of the 46aa772005SRobert Watson.Nm 47aa772005SRobert Watsonfile is following: 48aa772005SRobert Watson.Bd -literal -offset 49aa772005SRobert Watson## Global section. 50aa772005SRobert Watson 51aa772005SRobert Watson# Our name. 52aa772005SRobert Watson# The default is first part of the hostname. 53aa772005SRobert Watsonname "<name>" 54aa772005SRobert Watson 55aa772005SRobert Watson# Connection timeout. 56aa772005SRobert Watson# The default is 5. 57aa772005SRobert Watsontimeout <seconds> 58aa772005SRobert Watson 59aa772005SRobert Watson# Path to pidfile. 60aa772005SRobert Watson# The default is "/var/run/auditdistd.pid". 61aa772005SRobert Watsonpidfile "<path>" 62aa772005SRobert Watson 63aa772005SRobert Watsonsender { 64aa772005SRobert Watson ## Sender section. 65aa772005SRobert Watson 66aa772005SRobert Watson # Source address for connections. 67aa772005SRobert Watson # Optional. 68aa772005SRobert Watson source "<addr>" 69aa772005SRobert Watson 70aa772005SRobert Watson # Directory with audit trail files managed by auditdistd. 71aa772005SRobert Watson # The default is /var/audit/dist. 72aa772005SRobert Watson directory "<dir>" 73aa772005SRobert Watson.\" 74aa772005SRobert Watson.\" # Checksum algorithm for data send over the wire. 75aa772005SRobert Watson.\" # The default is none. 76aa772005SRobert Watson.\" checksum "<algorithm>" 77aa772005SRobert Watson.\" 78aa772005SRobert Watson.\" # Compression algorithm for data send over the wire. 79aa772005SRobert Watson.\" # The default is none. 80aa772005SRobert Watson.\" compression "<algorithm>" 81aa772005SRobert Watson 82aa772005SRobert Watson # Configuration for the target system we want to send audit trail 83aa772005SRobert Watson # files to. 84aa772005SRobert Watson host "<name>" { 85aa772005SRobert Watson # Source address for connections. 86aa772005SRobert Watson # Optional. 87aa772005SRobert Watson source "<addr>" 88aa772005SRobert Watson 89aa772005SRobert Watson # Address of auditdistd receiver. 90aa772005SRobert Watson # No default. Obligatory. 91aa772005SRobert Watson remote "<addr>" 92aa772005SRobert Watson 93aa772005SRobert Watson # Directory with audit trail files managed by auditdistd. 94aa772005SRobert Watson # The default is /var/audit/dist. 95aa772005SRobert Watson directory "<dir>" 96aa772005SRobert Watson 97aa772005SRobert Watson # Fingerprint of the receiver's public key when using TLS 98aa772005SRobert Watson # for connection. 99aa772005SRobert Watson # Example fingerprint: 100aa772005SRobert Watson # SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30:14:D7:F9:AA:8B:3E:73:CD:F5:76:2B 101aa772005SRobert Watson fingerprint "<algorithm=hash>" 102aa772005SRobert Watson 103aa772005SRobert Watson # Password used to authenticate in front of the receiver. 104aa772005SRobert Watson password "<password>" 105aa772005SRobert Watson.\" 106aa772005SRobert Watson.\" # Checksum algorithm for data send over the wire. 107aa772005SRobert Watson.\" # The default is none. 108aa772005SRobert Watson.\" checksum "<algorithm>" 109aa772005SRobert Watson.\" 110aa772005SRobert Watson.\" # Compression algorithm for data send over the wire. 111aa772005SRobert Watson.\" # The default is none. 112aa772005SRobert Watson.\" compression "<algorithm>" 113aa772005SRobert Watson } 114aa772005SRobert Watson 115aa772005SRobert Watson # Currently local audit trail files can be send only to one remote 116aa772005SRobert Watson # auditdistd receiver, but this can change in the future. 117aa772005SRobert Watson} 118aa772005SRobert Watson 119aa772005SRobert Watsonreceiver { 120aa772005SRobert Watson ## Receiver section. 121aa772005SRobert Watson 122aa772005SRobert Watson # Address to listen on. Multiple listen addresses might be specified. 123aa772005SRobert Watson # The defaults are "tcp4://0.0.0.0:7878" and "tcp6://[::]:7878". 124aa772005SRobert Watson listen "<addr>" 125aa772005SRobert Watson 126aa772005SRobert Watson # Base directory. 127aa772005SRobert Watson # If directory in host section is no absolute, it will be concatenated 128aa772005SRobert Watson # with this base directory. 129aa772005SRobert Watson # The default is "/var/audit/remote". 130aa772005SRobert Watson directory "<basedir>" 131aa772005SRobert Watson 132aa772005SRobert Watson # Path to receiver's certificate file. 133aa772005SRobert Watson # The default is "/etc/security/auditdistd.cert.pem". 134aa772005SRobert Watson certfile "<path>" 135aa772005SRobert Watson 136aa772005SRobert Watson # Path to receiver's private key file. 137aa772005SRobert Watson # The default is "/etc/security/auditdistd.key.pem". 138aa772005SRobert Watson keyfile "<path>" 139aa772005SRobert Watson 140aa772005SRobert Watson # Configuration for a source system we want to receive audit trail 141aa772005SRobert Watson # files from. 142aa772005SRobert Watson host "<name>" { 143aa772005SRobert Watson # Sender address. 144aa772005SRobert Watson # No default. Obligatory. 145aa772005SRobert Watson remote "<addr>" 146aa772005SRobert Watson 147aa772005SRobert Watson # Directory where to store audit trail files received 148aa772005SRobert Watson # from system <name>. 149aa772005SRobert Watson # The default is "<basedir>/<name>". 150aa772005SRobert Watson directory "<dir>" 151aa772005SRobert Watson 152aa772005SRobert Watson # Password used by the sender to authenticate. 153aa772005SRobert Watson password "<password>" 154aa772005SRobert Watson } 155aa772005SRobert Watson 156aa772005SRobert Watson # Multiple hosts to receive from can be configured. 157aa772005SRobert Watson} 158aa772005SRobert Watson.Ed 159aa772005SRobert Watson.Pp 160aa772005SRobert WatsonMost of the various available configuration parameters are optional. 161aa772005SRobert WatsonIf parameter is not defined in the particular section, it will be 162aa772005SRobert Watsoninherited from the parent section if possible. 163aa772005SRobert WatsonFor example, if the 164aa772005SRobert Watson.Ic source 165aa772005SRobert Watsonparameter is not defined in the 166aa772005SRobert Watson.Ic host 167aa772005SRobert Watsonsection, it will be inherited from the 168aa772005SRobert Watson.Ic sender 169aa772005SRobert Watsonsection. 170aa772005SRobert WatsonIn case the 171aa772005SRobert Watson.Ic global 172aa772005SRobert Watsonsection does not define the 173aa772005SRobert Watson.Ic source 174aa772005SRobert Watsonparameter at all, the default value will be used. 175aa772005SRobert Watson.Sh CONFIGURATION FILE DESCRIPTION 176aa772005SRobert WatsonThe following statements are available: 177aa772005SRobert Watson.Bl -tag -width ".Ic xxxx" 178aa772005SRobert Watson.It Ic name Aq name 179aa772005SRobert Watson.Pp 180aa772005SRobert WatsonThis host's name. 181aa772005SRobert WatsonIt is send to the receiver, so it can properly recognize us if there are 182aa772005SRobert Watsonmore than one sender coming from the same IP address. 183aa772005SRobert Watson.It Ic timeout Aq seconds 184aa772005SRobert Watson.Pp 185aa772005SRobert WatsonConnection timeout in seconds. 186aa772005SRobert WatsonThe default value is 187aa772005SRobert Watson.Va 5 . 188aa772005SRobert Watson.It Ic pidfile Aq path 189aa772005SRobert Watson.Pp 190aa772005SRobert WatsonFile in which to store the process ID of the main 191aa772005SRobert Watson.Xr auditdistd 8 192aa772005SRobert Watsonprocess. 193aa772005SRobert Watson.Pp 194aa772005SRobert WatsonThe default value is 195aa772005SRobert Watson.Pa /var/run/auditdistd.pid . 196aa772005SRobert Watson.It Ic source Aq addr 197aa772005SRobert Watson.Pp 198aa772005SRobert WatsonLocal address to bind to before connecting to the remote 199aa772005SRobert Watson.Nm auditdistd 200aa772005SRobert Watsondaemon. 201aa772005SRobert WatsonFormat is the same as for the 202aa772005SRobert Watson.Ic listen 203aa772005SRobert Watsonstatement. 204aa772005SRobert Watson.It Ic directory Aq path 205aa772005SRobert Watson.Pp 206aa772005SRobert WatsonDirectory where to look for audit trail files in case of sender mode or 207aa772005SRobert Watsondirectory where to store received audit trail files. 208aa772005SRobert WatsonThe provided path has to be an absolute path. 209aa772005SRobert WatsonThe only exception is when directory is provided in the 210aa772005SRobert Watson.Ic receiver 211aa772005SRobert Watsonsection, then path provided in the 212aa772005SRobert Watson.Ic host 213aa772005SRobert Watsonsubsections can be relative to the directory in the 214aa772005SRobert Watson.Ic receiver 215aa772005SRobert Watsonsection. 216aa772005SRobert WatsonThe default value is 217aa772005SRobert Watson.Pa /var/audit/dist 218aa772005SRobert Watsonfor the entire 219aa772005SRobert Watson.Ic sender 220aa772005SRobert Watsonsection, 221aa772005SRobert Watson.Pa /var/audit/remote 222aa772005SRobert Watsonfor the non-host 223aa772005SRobert Watson.Ic receiver 224aa772005SRobert Watsonsection and 225aa772005SRobert Watson.Pa /var/audit/remote/<name> 226aa772005SRobert Watsonfor the 227aa772005SRobert Watson.Ic host 228aa772005SRobert Watsonsubsections in the 229aa772005SRobert Watson.Ic receiver 230aa772005SRobert Watsonsection where 231aa772005SRobert Watson.Aq name 232aa772005SRobert Watsonis host's name. 233aa772005SRobert Watson.\".It Ic checksum Aq algorithm 234aa772005SRobert Watson.\".Pp 235aa772005SRobert Watson.\"Checksum algorithm should be one of the following: 236aa772005SRobert Watson.\".Bl -tag -width ".Ic sha256" 237aa772005SRobert Watson.\".It Ic none 238aa772005SRobert Watson.\"No checksum will be calculated for the data being send over the network. 239aa772005SRobert Watson.\"This is the default setting. 240aa772005SRobert Watson.\".It Ic crc32 241aa772005SRobert Watson.\"CRC32 checksum will be calculated. 242aa772005SRobert Watson.\".It Ic sha256 243aa772005SRobert Watson.\"SHA256 checksum will be calculated. 244aa772005SRobert Watson.\".El 245aa772005SRobert Watson.\".It Ic compression Aq algorithm 246aa772005SRobert Watson.\".Pp 247aa772005SRobert Watson.\"Compression algorithm should be one of the following: 248aa772005SRobert Watson.\".Bl -tag -width ".Ic none" 249aa772005SRobert Watson.\".It Ic none 250aa772005SRobert Watson.\"Data send over the network will not be compressed. 251aa772005SRobert Watson.\"This is the default setting. 252aa772005SRobert Watson.\".It Ic lzf 253aa772005SRobert Watson.\"The 254aa772005SRobert Watson.\".Nm LZF 255aa772005SRobert Watson.\"algorithm by 256aa772005SRobert Watson.\".An Marc Alexander Lehmann 257aa772005SRobert Watson.\"will be used to compress the data send over the network. 258aa772005SRobert Watson.\".Nm LZF 259aa772005SRobert Watson.\"is very fast, general purpose compression algorithm. 260aa772005SRobert Watson.\".El 261aa772005SRobert Watson.It Ic remote Aq addr 262aa772005SRobert Watson.Pp 263aa772005SRobert WatsonAddress of the remote 264aa772005SRobert Watson.Nm auditdistd 265aa772005SRobert Watsondaemon. 266aa772005SRobert WatsonFormat is the same as for the 267aa772005SRobert Watson.Ic listen 268aa772005SRobert Watsonstatement. 269aa772005SRobert WatsonWhen operating in the 270aa772005SRobert Watson.Ic sender 271aa772005SRobert Watsonmode this address will be used to connect to the 272aa772005SRobert Watson.Ic receiver . 273aa772005SRobert WatsonWhen operating in the 274aa772005SRobert Watson.Ic receiver 275aa772005SRobert Watsonmode only connections from this address will be accepted. 276aa772005SRobert Watson.It Ic listen Aq addr 277aa772005SRobert Watson.Pp 278aa772005SRobert WatsonAddress to listen on in form of: 279aa772005SRobert Watson.Bd -literal -offset indent 280aa772005SRobert Watsonprotocol://protocol-specific-address 281aa772005SRobert Watson.Ed 282aa772005SRobert Watson.Pp 283aa772005SRobert WatsonEach of the following examples defines the same listen address: 284aa772005SRobert Watson.Bd -literal -offset indent 285aa772005SRobert Watson0.0.0.0 286aa772005SRobert Watson0.0.0.0:7878 287aa772005SRobert Watsontcp://0.0.0.0 288aa772005SRobert Watsontcp://0.0.0.0:7878 289aa772005SRobert Watsontcp4://0.0.0.0 290aa772005SRobert Watsontcp4://0.0.0.0:7878 291aa772005SRobert Watson.Ed 292aa772005SRobert Watson.Pp 293aa772005SRobert WatsonMultiple listen addresses can be specified. 294aa772005SRobert WatsonBy default 295aa772005SRobert Watson.Nm auditdistd 296aa772005SRobert Watsonlistens on 297aa772005SRobert Watson.Pa tcp4://0.0.0.0:7878 298aa772005SRobert Watsonand 299aa772005SRobert Watson.Pa tcp6://[::]:7878 300aa772005SRobert Watsonif kernel supports IPv4 and IPv6 respectively. 301aa772005SRobert Watson.It Ic keyfile Aq path 302aa772005SRobert Watson.Pp 303aa772005SRobert WatsonPath to a file that contains private key for TLS communication. 304aa772005SRobert Watson.It Ic certfile Aq path 305aa772005SRobert Watson.Pp 306aa772005SRobert WatsonPath to a file that contains certificate for TLS communication. 307aa772005SRobert Watson.It Ic fingerprint Aq algo=hash 308aa772005SRobert Watson.Pp 309aa772005SRobert WatsonFinger print of the receiver's public key. 310aa772005SRobert WatsonCurrently only SHA256 algorithm is supported. 311aa772005SRobert WatsonCertificate public key's fingerprint ready to be pasted into auditdistd 312aa772005SRobert Watsonconfiguration file can be obtained by running: 313aa772005SRobert Watson.Bd -literal -offset 314aa772005SRobert Watson# openssl x509 -in /etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 | awk -F '[ =]' '{printf("%s=%s\\n", $1, $3)}' 315aa772005SRobert Watson.Ed 316aa772005SRobert Watson.It Ic password Aq password 317aa772005SRobert Watson.Pp 318aa772005SRobert WatsonPassword used to authenticate the sender in front of the receiver. 319aa772005SRobert Watson.El 320aa772005SRobert Watson.Sh FILES 321aa772005SRobert Watson.Bl -tag -width ".Pa /etc/security/auditdistd.conf" -compact 322aa772005SRobert Watson.It Pa /etc/security/auditdistd.conf 323aa772005SRobert WatsonThe default 324aa772005SRobert Watson.Nm auditdistd 325aa772005SRobert Watsonconfiguration file. 326aa772005SRobert Watson.El 327aa772005SRobert Watson.Sh EXAMPLES 328aa772005SRobert WatsonThe example configuration files can look as follows. 329aa772005SRobert Watson.Pp 330aa772005SRobert WatsonWeb server: 331aa772005SRobert Watson.Bd -literal -offset indent 332aa772005SRobert Watsonsender { 333aa772005SRobert Watson host backup { 334aa772005SRobert Watson remote 10.0.0.4 335aa772005SRobert Watson } 336aa772005SRobert Watson} 337aa772005SRobert Watson.Ed 338aa772005SRobert Watson.Pp 339aa772005SRobert WatsonAudit backup server: 340aa772005SRobert Watson.Bd -literal -offset indent 341aa772005SRobert Watsonreceiver { 342aa772005SRobert Watson host webserv { 343aa772005SRobert Watson remote 10.0.0.1 344aa772005SRobert Watson } 345aa772005SRobert Watson host mailserv { 346aa772005SRobert Watson remote 10.0.0.2 347aa772005SRobert Watson } 348aa772005SRobert Watson host dnsserv { 349aa772005SRobert Watson remote 10.0.0.3 350aa772005SRobert Watson } 351aa772005SRobert Watson} 352aa772005SRobert Watson.Ed 353aa772005SRobert Watson.Sh SEE ALSO 354aa772005SRobert Watson.Xr audit 4 , 355aa772005SRobert Watson.Xr auditdistd 8 . 356aa772005SRobert Watson.Sh AUTHORS 357aa772005SRobert WatsonThe 358*f7d22997SRobert Watson.Nm auditdistd 359*f7d22997SRobert Watsonwas developed by 360aa772005SRobert Watson.An Pawel Jakub Dawidek Aq pawel@dawidek.net 361aa772005SRobert Watsonunder sponsorship of the FreeBSD Foundation. 362