# /etc/audit/auditd.conf # Sane defaults: #local_events = yes #priority_boost = 4 #tcp_client_max_idle = 0 #tcp_max_per_addr = 1 # This program will receive a copy of all events via it's STDIN and will # startup with root privileges when auditd comes up. dispatcher = /sbin/audispd # Don't tolerate dropping audit messages disp_qos = lossless # We send our logs to syslog for processing and policy analysis (using # audispd), a lot of the remining settings won't have an effect unless this # gets flipped. write_logs = no # Default location but be explicit log_file = /var/log/audit/audit.log log_format = ENRICHED log_group = root # Every 50 log entries trigger a background `sync` operation. There is a small # potential for data loss here but the alternative is pretty poor throughput. flush = incremental_async freq = 50 # These settings control log rotation and indicate when a log file reaches 8MiB # we will rotate the logs, keeping the current log and the last one. num_logs = 2 max_log_file = 8 max_log_file_action = rotate # How a node is identified in the audit message, `hostname` will use the local # part. There is a `fqd` option for the full domain, but it performs name # resolution for each event which isn't ideal. name_format = hostname # An alternative to above if I wanted the FQDN without incurring the lookup # cost is by simply setting the value directly using the following settings # instead: #name_format = user #name = "namey.mc.namepants.tld" # This is the default, but we want it to be explicit action_mail_acct = root # When there is this much disk space (in MiB) left on the partition where # auditd is logging, we want auditd to send an email and log to syslog. # Hopefully this never trips as it's a pretty small amount of space... space_left = 256 space_left_action = email # If it gets to this point the system is in a really bad state, but we can try # a notification to the admins again... A script could also be called here to # attempt to trigger an alarm or something. That can be used by setting the # action to `exec /path/to/script`. No arguments can be provided to the script. admin_space_left = 64 admin_space_left_action = email # We never want to be running our system where we can't persist our audit # records so take the extreme action of shutting down the machine. Hopefully # our two previous warning emails went through before this tripped... disk_full_action = halt # If there is ever an error writing our messages to disk we need to log that # information. disk_error_action = syslog # Uncomment these to listen for events on the network #tcp_listen_port = 48 #tcp_listen_queue = 16 #tcp_client_ports = 1024-65535 #use_libwrap = yes # For kerberos to handle authentication and encryption. Mandatory for secure # operation over a network. Be sure to generate a keytab, and replace # `hostname` with the canonical FQDN of the host. #enable_krb5 = yes #krb5_principal = auditd/hostname@EXAMPLE.COM #krb5_key_file = /etc/audit/audit.key # If I accept audit events from other network hosts on this machine and I want # them visible through the dispatcher program I should set this to yes. #distribute_network = no