remote_server =
port = 60
+##local_port =
transport = tcp
+queue_file = /var/spool/audit/remote.log
mode = immediate
-queue_depth = 20
-fail_action = SYSLOG
+queue_depth = 2048
+format = managed
+network_retry_time = 1
+max_tries_per_record = 3
+max_time_per_record = 5
+heartbeat_timeout = 0
+network_failure_action = stop
+disk_low_action = ignore
+disk_full_action = ignore
+disk_error_action = syslog
+remote_ending_action = suspend
+generic_error_action = syslog
+generic_warning_action = syslog
+overflow_action = syslog
+
+##enable_krb5 = no
+##krb5_principal =
+##krb5_client_name = auditd
+##krb5_key_file = /etc/audisp/audisp-remote.key
# dispatcher daemon, audispd.
#
-q_depth = 80
+q_depth = 120
overflow_action = SYSLOG
priority_boost = 4
+max_restarts = 10
name_format = HOSTNAME
#name = mydomain
# plugin can take 2 arguments, the path for the
# socket and the socket permissions in octal.
-active = yes
+active = no
direction = out
path = builtin_af_unix
type = builtin
-# This file controls the configuration of the
-# syslog plugin. It simply takes events and writes
-# them to syslog.
+# This file controls the configuration of the syslog plugin.
+# It simply takes events and writes them to syslog. The
+# arguments provided can be the default priority that you
+# want the events written with. And optionally, you can give
+# a second argument indicating the facility that you want events
+# logged to. Valid options are LOG_LOCAL0 through 7.
active = no
direction = out
-# Copyright 1999-2005 Gentoo Foundation
+# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules,v 1.1 2006/06/22 07:41:46 robbat2 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $
#
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# Feel free to add below this line. See auditctl man page
# The following rule would cause all of the syscalls listed to be ignored in logging.
-# -a entry,never -S read -S write -S open -S fstat -S fstat64 -S mmap -S brk -S munmap -S _llseek -S nanosleep -S fcntl64 -S close -S dup2 -S rt_sigaction -S stat64 -S stat
+-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
+-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
# The following rule would cause the capture of all systems not caught above.
-# -a entry,always -S all
+# -a exit,always -S all
# Increase the buffers to survive stress events
--b 256
+-b 8192
# vim:ft=conf:
priority_boost = 4
flush = INCREMENTAL
freq = 20
-num_logs = 4
+num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
-max_log_file = 5
+max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
-
+##tcp_listen_port =
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
-# Copyright 1999-2005 Gentoo Foundation
+# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-conf.d-1.2.3,v 1.1 2006/06/22 07:41:46 robbat2 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-conf.d-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $
# Configuration options for auditd
# -f for foreground mode
# Audit rules file to run before and after stopping auditd
RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post
+
+# If you want to enforce a certain locale for auditd,
+# uncomment one of the next lines:
+#AUDITD_LANG=none
+AUDITD_LANG=C
+#AUDITD_LANG=en_US
+#AUDITD_LANG=en_US.UTF-8
#!/sbin/runscript
-# Copyright 1999-2005 Gentoo Foundation
+# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-init.d-1.2.3,v 1.1 2006/06/22 07:41:46 robbat2 Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-init.d-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $
+
+extra_started_commands='reload reload_auditd reload_rules'
+description='Linux Auditing System'
+description_reload='Reload daemon configuration and rules'
+description_reload_rules='Reload daemon rules'
+description_reload_auditd='Reload daemon configuration'
+
+name='auditd'
+pidfile='/var/run/auditd.pid'
+command='/sbin/auditd'
start_auditd() {
- ebegin "Starting auditd"
+ # Env handling taken from the upstream init script
+ if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then
+ unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+ else
+ LANG="$AUDITD_LANG"
+ LC_TIME="$AUDITD_LANG"
+ LC_ALL="$AUDITD_LANG"
+ LC_MESSAGES="$AUDITD_LANG"
+ LC_NUMERIC="$AUDITD_LANG"
+ LC_MONETARY="$AUDITD_LANG"
+ LC_COLLATE="$AUDITD_LANG"
+ export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+ fi
+ unset HOME MAIL USER USERNAME
+
+ ebegin "Starting ${name}"
start-stop-daemon \
- --start --quiet --pidfile /var/run/auditd.pid \
- --exec /sbin/auditd -- ${EXTRAOPTIONS}
+ --start --quiet --pidfile ${pidfile} \
+ --exec ${command} -- ${EXTRAOPTIONS}
local ret=$?
eend $ret
return $ret
}
stop_auditd() {
- ebegin "Stopping auditd"
- start-stop-daemon \
- --stop --quiet --pidfile /var/run/auditd.pid
+ ebegin "Stopping ${name}"
+ start-stop-daemon --stop --quiet --pidfile ${pidfile}
local ret=$?
eend $ret
return $ret
start() {
start_auditd
local ret=$?
- if [ $ret -eq 0 ]; then
+ if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then
+ touch /var/lock/subsys/${name}
loadfile "${RULEFILE_STARTUP}"
fi
return $ret
}
+reload_rules() {
+ loadfile "${RULEFILE_STARTUP}"
+}
+
+reload_auditd() {
+ [ -f ${pidfile} ] && kill -HUP `cat ${pidfile}`
+}
+
+reload() {
+ reload_auditd
+ reload_rules
+}
+
stop() {
- loadfile "${RULEFILE_STOP_PRE}"
+ [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}"
stop_auditd
+ rm -f /var/lock/subsys/${name}
local ret=$?
- loadfile "${RULEFILE_STOP_POST}"
+ [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}"
return $ret
}
projects / config / samara / etc.git / commitdiff