audispd.conf(5) [centos man page]

AUDISPD.CONF:(5)					  System Administration Utilities					  AUDISPD.CONF:(5)

NAME

       audispd.conf - the audit event dispatcher configuration file

DESCRIPTION

       audispd.conf is the file that controls the configuration of the audit event dispatcher. The options that are available are as follows:

       q_depth
	      This is a numeric value that tells how big to make the internal queue of the audit event dispatcher. A bigger queue lets it handle a
	      flood of events better, but could hold events that are not processed when the daemon is terminated. If you get  messages	in  syslog
	      about events getting dropped, increase this value. The default value is 80.

       overflow_action
	      This  option  determines how the daemon should react to overflowing its internal queue. When this happens, it means that more events
	      are being received than it can get rid of. This error means that it is going to lose the current event its trying  to  dispatch.	It
	      has  the	following  choices:  ignore, syslog, suspend, single, and halt.  If set to ignore, the audisp daemon does nothing.  syslog
	      means that it will issue a warning to syslog.  suspend will cause the audisp daemon to stop processing events. The daemon will still
	      be alive. The single option will cause the audisp daemon to put the computer system in single user mode.	halt option will cause the
	      audisp daemon to shutdown the computer system.

       priority_boost
	      This is a non-negative number that tells the audit event dispatcher how much of a priority boost it should take. This  boost  is	in
	      addition to the boost provided from the audit daemon. The default is 4. No change is 0.

       max_restarts
	      This  is	a  non-negative  number  that  tells the audit event dispatcher how many times it can try to restart a crashed plugin. The
	      default is 10.

       name_format
	      This option controls how computer node names are inserted into the audit event stream. It has the following choices: none, hostname,
	      fqd,  numeric,  and  user.  None means that no computer name is inserted into the audit event.  hostname is the name returned by the
	      gethostname syscall. The fqd means that it takes the hostname and resolves it with dns for a fully qualified  domain  name  of  that
	      machine.	Numeric is similar to fqd except it resolves the IP address of the machine.  User is an admin defined string from the name
	      option. The default value is none.

       name   This is the admin defined string that identifies the machine if user is given as the name_format option.

SEE ALSO

       audispd(8)

Red Hat 							     Jan 2008							  AUDISPD.CONF:(5)

AUDITD(8)						  System Administration Utilities						 AUDITD(8)

NAME

       auditd - The Linux Audit daemon

SYNOPSIS

       auditd [-f] [-l] [-n] [-s disable|enable|nochange]

DESCRIPTION

       auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is
       done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the  rules	in
       /etc/audit/audit.rules  are  read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize.
       They are found in the auditd.conf file.

OPTIONS

       -f     leave the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log.

       -l     allow the audit daemon to follow symlinks for config files.

       -n     no fork. This is useful for running off of inittab

       -s=ENABLE_STATE
	      specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "dis-
	      able",  "enable"	or "nochange". The default is to enable (and disable when auditd terminates). The value of the enabled flag may be
	      changed during the lifetime of auditd using 'auditctl -e'.

SIGNALS

       SIGHUP causes auditd to reconfigure. This means that auditd re-reads the configuration file. If there are no syntax errors, it will proceed
	      to implement the requested changes. If the reconfigure is successful, a DAEMON_CONFIG event is recorded in the logs. If not success-
	      ful, error handling is controlled by space_left_action, admin_space_left_action, disk_full_action, and disk_error_action	parameters
	      in auditd.conf.

       SIGTERM
	      caused auditd to discontinue processing audit events, write a shutdown audit event, and exit.

       SIGUSR1
	      causes auditd to immediately rotate the logs. It will consult the max_log_size_action to see if it should keep the logs or not.

       SIGUSR2
	      causes auditd to attemp to resume logging. This is usually used after logging has been suspended.

FILES

       /etc/audit/auditd.conf - configuration file for audit daemon

       /etc/audit/audit.rules - audit rules to be loaded at startup

NOTES

       A  boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the
       kernel. Not doing that will make a few processes impossible to properly audit.

       The audit daemon can receive audit events from other audit daemons via the audisp-remote audispd plugin. The audit  daemon  may	be  linked
       with tcp_wrappers to control which machines can connect. If this is the case, you can add an entry to hosts.allow and deny.

SEE ALSO

       auditd.conf(5), audispd(8), ausearch(8), aureport(8), auditctl(8), audit.rules(7).

AUTHOR

       Steve Grubb

Red Hat 							     Sept 2007								 AUDITD(8)