Document that praudit(1) can be run on auditpipe(4) devices, allowing the
administrator to track the live event stream without worrying about trail files being rotated, etc. Obtained from: TrustedBSD Project
This commit is contained in:
Robert Watson
parent
daaa92f442
commit
48a0d60e07
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=28716
1 changed files with 36 additions and 0 deletions
|
|
@ -532,6 +532,42 @@ www:fc,+ex:no</programlisting>
|
|||
<replaceable>AUDITFILE</replaceable> file.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Live Monitoring Using Audit Pipes</title>
|
||||
|
||||
<para>Audit pipes are cloning pseudo-devices in the device file system
|
||||
which allow applications to tap the live audit record stream. This
|
||||
is primarily of interest to authors of intrusion detection and
|
||||
system monitoring applications. However, for the administrator the
|
||||
audit pipe device is a convenient way to allow live monitoring
|
||||
without running into problems with audit trail file ownership or
|
||||
log rotation interrupting the event stream. To track the live audit
|
||||
event stream, use the following command line</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen>
|
||||
|
||||
<para>By default, audit pipe device nodes are accessible only to the
|
||||
root user. To make them accessible to the members of the
|
||||
<literal>audit</literal> group, add a <literal>devfs</literal> rule
|
||||
to <filename>devfs.rules</filename>:
|
||||
|
||||
<programlisting>add path 'auditpipe*' mode 0440 group audit</programlisting>
|
||||
|
||||
<para>See &man.devfs.rules.5; for more information on configuring
|
||||
the devfs file system.</para>
|
||||
|
||||
<warning>
|
||||
<para>It is easy to produce audit event feedback cycles, in which
|
||||
the viewing of each audit event results in the generation of more
|
||||
audit events. For example, if all network I/O is audited, and
|
||||
praudit is run from an SSH session, then a continuous stream of
|
||||
audit events will be generated at a high rate, as each event
|
||||
being printed will generate another event. It is advisable to run
|
||||
praudit on an audit pipe device from sessions without fine-grained
|
||||
I/O auditing in order to avoid this happening.</para>
|
||||
</warning>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Rotating Audit Trail Files</title>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue