audisp-tacplus.8

.\"                                      Hey, EMACS: -*- nroff -*-
.\" (C) Copyright 2015, 2016 Cumulus Networks, Inc.  All rights reserved.
.TH AUDISP-TACPLUS 8 "June 22, 2016"
.\" Please adjust this date whenever revising the manpage.
.SH NAME
audisp-tacplus \- sending tacacs accounting records to tacacs server
.SH SYNOPSIS
.B audisp-tacplus
.RI [ config-file ]
.SH DESCRIPTION
.B audisp-tacplus
is an
.I audisp plugin
to the
.I auditd
system.  It is started automatically by
.I audisp
when auditd is started, normally at system boot.
.PP
.SH OPTIONS
The optional
.I config-file
argument specifies an alternate configuration file.
The argument must be placed in the
.I  /etc/audisp/plugins.d/audisp-tacplus.conf
configuration file, as the
.B args
string value.
.SH SIGNALS
When sent SIGHUP,
.I audisp-tacplus
will reset all configuration to default, and re-read the
.I /etc/audisp/audisp-tac_plus.conf
configuration file.
.P
When sent SIGTERM,
.I audisp-tacplus
will terminate it's event loop and exit cleanly.
.SH FILES
.IR  /etc/audisp/plugins.d/audisp-tacplus.conf --
audisp plugin configuration for the plugin
.br
.IR  /etc/audisp/plugins.d/audisp-tacplus.rules --
.I auditd
rules loaded via the
.I /etc/init.d/audisp-tacplus
startup file.  If auditd is restarted with the
.BR service ,\  invoke-rc.d ,\  systemctl
or similar commands, audisp-tacplus will normally be automatically restarted
as well.
.br
.IR  /etc/audisp/audisp-tac_plus.conf --
TACACS+ configuration file.  By default, this includes the
.I  /etc/tacplus_servers
file to get the list of TACACS+ servers and their keys, to simplify
configuration.
The
.I  /etc/tacplus_servers
file is normally installed as part of the
libpam-tacplus package.   See the documentation for that package
for the format.  libpam-tacplus is not required for this command
to function correctly.
.P
The
.I  /etc/audisp/audisp-tac_plus.conf
file can be used to set options specific to the accounting
or to override settings in
.I  /etc/tacplus_servers
for the accounting plugin.
The following variables are used:
.br
.IP debug=NUMBER 16
Enables debugging if non-zero
.br
.IP timeout=NUMBER 16
Enables use of poll() when reading from servers if >= 0.  If not set, or set
to a negative value, disables use of
.BR poll (2).
The value is the number of seconds passed as the 3rd argument to
.BR poll (2).
.br
.IP secret=STRING 16
shared secret for the TACACS+ server encryption (may be given multiple times)
.br
.IP server=IP_ADDR 16
TACACS+ server IP address (may be given multiple times)
.br
The two keywords above can be in any order, but when multiple servers are used,
they should be listed in pairs (if there are more servers than secrets, and
at least one secret follows the servers, the most recently listed secret is
used).
.br
.IP acct=all 16
Send accounting information to all available TACACS+ servers.  Without this
option, accounting information is sent only to the first responding server.
.br
.IP vrf=vrfname 16
If the management network is in a vrf, set this variable to the vrf name.
This would usually be "mgmt"
When this variable is set, the connection to the TACACS+ accounting servers
will be made through the named vrf.
.br
.IP service=shell 16
The service type used for accounting messages to the TACACS+ servers.
It is recommended that you don't change this default
.P
.SH LIMITATION
The linux auditd system does not always generate audit events for processes that
are terminated with a signal (via the kill system call or internal errors
such as SIGSEGV). As a result, processes that exit on a signal that isn't caught and
handled may not generate a STOP accounting record.
.SH SEE ALSO
.BR poll (2),
.BR auditd (8),
.BR audispd (8).