White space fix only. Translators can ignore.
Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
587869fc26
commit
a469227e20
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44379
1 changed files with 352 additions and 368 deletions
|
|
@ -44,16 +44,16 @@ requirements. -->
|
||||||
<see>MAC</see>
|
<see>MAC</see>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>The &os; operating system includes support for
|
<para>The &os; operating system includes support for security
|
||||||
security event auditing. Event auditing supports reliable,
|
event auditing. Event auditing supports reliable, fine-grained,
|
||||||
fine-grained, and configurable logging of a variety of
|
and configurable logging of a variety of security-relevant
|
||||||
security-relevant system events, including logins, configuration
|
system events, including logins, configuration changes, and file
|
||||||
changes, and file and network access. These log records can be
|
and network access. These log records can be invaluable for
|
||||||
invaluable for live system monitoring, intrusion detection, and
|
live system monitoring, intrusion detection, and postmortem
|
||||||
postmortem analysis. &os; implements &sun;'s published Basic
|
analysis. &os; implements &sun;'s published Basic Security
|
||||||
Security Module (<acronym>BSM</acronym>) Application Programming
|
Module (<acronym>BSM</acronym>) Application Programming
|
||||||
Interface (<acronym>API</acronym>) and file format, and is interoperable
|
Interface (<acronym>API</acronym>) and file format, and is
|
||||||
with the &solaris; and &macos; X audit
|
interoperable with the &solaris; and &macos; X audit
|
||||||
implementations.</para>
|
implementations.</para>
|
||||||
|
|
||||||
<para>This chapter focuses on the installation and configuration
|
<para>This chapter focuses on the installation and configuration
|
||||||
|
|
@ -82,14 +82,14 @@ requirements. -->
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Understand &unix; and &os; basics
|
<para>Understand &unix; and &os; basics (<xref
|
||||||
(<xref linkend="basics"/>).</para>
|
linkend="basics"/>).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Be familiar with the basics of kernel
|
<para>Be familiar with the basics of kernel
|
||||||
configuration/compilation
|
configuration/compilation (<xref
|
||||||
(<xref linkend="kernelconfig"/>).</para>
|
linkend="kernelconfig"/>).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|
@ -99,22 +99,21 @@ requirements. -->
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>The audit facility has some known limitations.
|
<para>The audit facility has some known limitations. Not all
|
||||||
Not all security-relevant system events are
|
security-relevant system events are auditable and some login
|
||||||
auditable and some login mechanisms, such as
|
mechanisms, such as <application>Xorg</application>-based
|
||||||
<application>Xorg</application>-based display managers and third-party daemons, do not
|
display managers and third-party daemons, do not properly
|
||||||
properly configure auditing for user login sessions.</para>
|
configure auditing for user login sessions.</para>
|
||||||
|
|
||||||
<para>The security event auditing facility is able to generate
|
<para>The security event auditing facility is able to generate
|
||||||
very detailed logs of system activity. On a busy system, trail
|
very detailed logs of system activity. On a busy system,
|
||||||
file data can be very large when configured for high detail,
|
trail file data can be very large when configured for high
|
||||||
exceeding gigabytes a week in some configurations.
|
detail, exceeding gigabytes a week in some configurations.
|
||||||
Administrators should take into account the disk space
|
Administrators should take into account the disk space
|
||||||
requirements associated with high volume audit configurations.
|
requirements associated with high volume audit configurations.
|
||||||
For example, it may be desirable to dedicate a file system to
|
For example, it may be desirable to dedicate a file system to
|
||||||
<filename>/var/audit</filename>
|
<filename>/var/audit</filename> so that other file systems are
|
||||||
so that other file systems are not affected if the audit file
|
not affected if the audit file system becomes full.</para>
|
||||||
system becomes full.</para>
|
|
||||||
</warning>
|
</warning>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
|
|
@ -132,23 +131,23 @@ requirements. -->
|
||||||
a file, the building of a network connection, or a user
|
a file, the building of a network connection, or a user
|
||||||
logging in. Events are either <quote>attributable</quote>,
|
logging in. Events are either <quote>attributable</quote>,
|
||||||
meaning that they can be traced to an authenticated user, or
|
meaning that they can be traced to an authenticated user, or
|
||||||
<quote>non-attributable</quote>. Examples
|
<quote>non-attributable</quote>. Examples of
|
||||||
of non-attributable events are any events that occur before
|
non-attributable events are any events that occur before
|
||||||
authentication in the login process, such as bad password
|
authentication in the login process, such as bad password
|
||||||
attempts.</para>
|
attempts.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis>class</emphasis>: a named set
|
<para><emphasis>class</emphasis>: a named set of related
|
||||||
of related events which are used in selection expressions.
|
events which are used in selection expressions. Commonly
|
||||||
Commonly used classes of events include <quote>file
|
used classes of events include <quote>file creation</quote>
|
||||||
creation</quote> (fc), <quote>exec</quote> (ex), and
|
(fc), <quote>exec</quote> (ex), and
|
||||||
<quote>login_logout</quote> (lo).</para>
|
<quote>login_logout</quote> (lo).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis>record</emphasis>: an audit log
|
<para><emphasis>record</emphasis>: an audit log entry
|
||||||
entry describing a security event. Records contain a record
|
describing a security event. Records contain a record
|
||||||
event type, information on the subject (user) performing the
|
event type, information on the subject (user) performing the
|
||||||
action, date and time information, information on any
|
action, date and time information, information on any
|
||||||
objects or arguments, and a success or failure
|
objects or arguments, and a success or failure
|
||||||
|
|
@ -156,28 +155,27 @@ requirements. -->
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis>trail</emphasis>: a log file
|
<para><emphasis>trail</emphasis>: a log file consisting of a
|
||||||
consisting of a series of audit records describing security
|
series of audit records describing security events. Trails
|
||||||
events. Trails are in roughly chronological
|
are in roughly chronological order with respect to the time
|
||||||
order with respect to the time events completed. Only
|
events completed. Only authorized processes are allowed to
|
||||||
authorized processes are allowed to commit records to the
|
commit records to the audit trail.</para>
|
||||||
audit trail.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis>selection expression</emphasis>: a
|
<para><emphasis>selection expression</emphasis>: a string
|
||||||
string containing a list of prefixes and
|
containing a list of prefixes and audit event class names
|
||||||
audit event class names used to match events.</para>
|
used to match events.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis>preselection</emphasis>: the process by which
|
<para><emphasis>preselection</emphasis>: the process by which
|
||||||
the system identifies which events are of interest to the
|
the system identifies which events are of interest to the
|
||||||
administrator. The
|
administrator. The preselection configuration uses a series
|
||||||
preselection configuration uses a series of selection
|
of selection expressions to identify which classes of events
|
||||||
expressions to identify which classes of events to audit for
|
to audit for which users, as well as global settings that
|
||||||
which users, as well as global settings that apply to both
|
apply to both authenticated and unauthenticated
|
||||||
authenticated and unauthenticated processes.</para>
|
processes.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|
@ -198,8 +196,8 @@ requirements. -->
|
||||||
<title>Audit Configuration</title>
|
<title>Audit Configuration</title>
|
||||||
|
|
||||||
<para>User space support for event auditing is installed as part
|
<para>User space support for event auditing is installed as part
|
||||||
of the base &os; operating system. Kernel support can be enabled
|
of the base &os; operating system. Kernel support can be
|
||||||
by adding the following line to
|
enabled by adding the following line to
|
||||||
<filename>/etc/rc.conf</filename>:</para>
|
<filename>/etc/rc.conf</filename>:</para>
|
||||||
|
|
||||||
<programlisting>auditd_enable="YES"</programlisting>
|
<programlisting>auditd_enable="YES"</programlisting>
|
||||||
|
|
@ -208,8 +206,7 @@ requirements. -->
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>service auditd start</userinput></screen>
|
<screen>&prompt.root; <userinput>service auditd start</userinput></screen>
|
||||||
|
|
||||||
<para>Users who prefer to compile
|
<para>Users who prefer to compile a custom kernel must include the
|
||||||
a custom kernel must include the
|
|
||||||
following line in their custom kernel configuration file:</para>
|
following line in their custom kernel configuration file:</para>
|
||||||
|
|
||||||
<programlisting>options AUDIT</programlisting>
|
<programlisting>options AUDIT</programlisting>
|
||||||
|
|
@ -227,10 +224,10 @@ requirements. -->
|
||||||
right, and two expressions are combined by appending one onto
|
right, and two expressions are combined by appending one onto
|
||||||
the other.</para>
|
the other.</para>
|
||||||
|
|
||||||
<para><xref linkend="event-selection"/> summarizes the default audit event
|
<para><xref linkend="event-selection"/> summarizes the default
|
||||||
classes:</para>
|
audit event classes:</para>
|
||||||
|
|
||||||
<table xml:id="event-selection" frame="none" pgwide="1">
|
<table xml:id="event-selection" frame="none" pgwide="1">
|
||||||
<title>Default Audit Event Classes</title>
|
<title>Default Audit Event Classes</title>
|
||||||
|
|
||||||
<tgroup cols="3">
|
<tgroup cols="3">
|
||||||
|
|
@ -242,150 +239,147 @@ requirements. -->
|
||||||
</row>
|
</row>
|
||||||
</thead>
|
</thead>
|
||||||
|
|
||||||
<tbody>
|
<tbody>
|
||||||
<row>
|
<row>
|
||||||
<entry>all</entry>
|
<entry>all</entry>
|
||||||
<entry>all</entry>
|
<entry>all</entry>
|
||||||
<entry>Match all event classes.</entry>
|
<entry>Match all event classes.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>aa</entry>
|
<entry>aa</entry>
|
||||||
<entry>authentication and authorization</entry>
|
<entry>authentication and authorization</entry>
|
||||||
<entry></entry>
|
<entry></entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>ad</entry>
|
<entry>ad</entry>
|
||||||
<entry>administrative</entry>
|
<entry>administrative</entry>
|
||||||
<entry>Administrative
|
<entry>Administrative actions performed on the system as
|
||||||
actions performed on the system as a whole.</entry>
|
a whole.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>ap</entry>
|
<entry>ap</entry>
|
||||||
<entry>application</entry>
|
<entry>application</entry>
|
||||||
<entry>Application defined
|
<entry>Application defined action.</entry>
|
||||||
action.</entry>
|
</row>
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>cl</entry>
|
<entry>cl</entry>
|
||||||
<entry>file close</entry>
|
<entry>file close</entry>
|
||||||
<entry>Audit calls to the
|
<entry>Audit calls to the
|
||||||
<function>close</function> system call.</entry>
|
<function>close</function> system call.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>ex</entry>
|
<entry>ex</entry>
|
||||||
<entry>exec</entry>
|
<entry>exec</entry>
|
||||||
<entry>Audit program execution. Auditing of command line
|
<entry>Audit program execution. Auditing of command
|
||||||
arguments and environmental variables is controlled via
|
line arguments and environmental variables is
|
||||||
&man.audit.control.5; using the <literal>argv</literal>
|
controlled via &man.audit.control.5; using the
|
||||||
and <literal>envv</literal> parameters to the
|
<literal>argv</literal> and <literal>envv</literal>
|
||||||
<literal>policy</literal> setting.</entry>
|
parameters to the <literal>policy</literal>
|
||||||
</row>
|
setting.</entry>
|
||||||
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>fa</entry>
|
<entry>fa</entry>
|
||||||
<entry>file attribute access</entry>
|
<entry>file attribute access</entry>
|
||||||
<entry>Audit the
|
<entry>Audit the access of object attributes such as
|
||||||
access of object attributes such as &man.stat.1; and
|
&man.stat.1; and &man.pathconf.2;.</entry>
|
||||||
&man.pathconf.2;.</entry>
|
</row>
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>fc</entry>
|
<entry>fc</entry>
|
||||||
<entry>file create</entry>
|
<entry>file create</entry>
|
||||||
<entry>Audit events where a
|
<entry>Audit events where a file is created as a
|
||||||
file is created as a result.</entry>
|
result.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>fd</entry>
|
<entry>fd</entry>
|
||||||
<entry>file delete</entry>
|
<entry>file delete</entry>
|
||||||
<entry>Audit events where file
|
<entry>Audit events where file deletion occurs.</entry>
|
||||||
deletion occurs.</entry>
|
</row>
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>fm</entry>
|
<entry>fm</entry>
|
||||||
<entry>file attribute modify</entry>
|
<entry>file attribute modify</entry>
|
||||||
<entry>Audit events
|
<entry>Audit events where file attribute modification
|
||||||
where file attribute modification occurs, such as by
|
occurs, such as by &man.chown.8;, &man.chflags.1;, and
|
||||||
&man.chown.8;, &man.chflags.1;, and &man.flock.2;.</entry>
|
&man.flock.2;.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>fr</entry>
|
<entry>fr</entry>
|
||||||
<entry>file read</entry>
|
<entry>file read</entry>
|
||||||
<entry>Audit events in which data is read or files are opened for
|
<entry>Audit events in which data is read or files are
|
||||||
reading.</entry>
|
opened for reading.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>fw</entry>
|
<entry>fw</entry>
|
||||||
<entry>file write</entry>
|
<entry>file write</entry>
|
||||||
<entry>Audit events in which
|
<entry>Audit events in which data is written or files
|
||||||
data is written or files are written or modified.</entry>
|
are written or modified.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>io</entry>
|
<entry>io</entry>
|
||||||
<entry>ioctl</entry>
|
<entry>ioctl</entry>
|
||||||
<entry>Audit use of the <function>ioctl</function> system call.</entry>
|
<entry>Audit use of the <function>ioctl</function>
|
||||||
</row>
|
system call.</entry>
|
||||||
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>ip</entry>
|
<entry>ip</entry>
|
||||||
<entry>ipc</entry>
|
<entry>ipc</entry>
|
||||||
<entry>Audit various forms of Inter-Process Communication,
|
<entry>Audit various forms of Inter-Process
|
||||||
including POSIX pipes and System V <acronym>IPC</acronym>
|
Communication, including POSIX pipes and System V
|
||||||
operations.</entry>
|
<acronym>IPC</acronym> operations.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>lo</entry>
|
<entry>lo</entry>
|
||||||
<entry>login_logout</entry>
|
<entry>login_logout</entry>
|
||||||
<entry>Audit &man.login.1;
|
<entry>Audit &man.login.1; and &man.logout.1;
|
||||||
and &man.logout.1; events.</entry>
|
events.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>na</entry>
|
<entry>na</entry>
|
||||||
<entry>non attributable</entry>
|
<entry>non attributable</entry>
|
||||||
<entry>Audit
|
<entry>Audit non-attributable events.</entry>
|
||||||
non-attributable events.</entry>
|
</row>
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>no</entry>
|
<entry>no</entry>
|
||||||
<entry>invalid class</entry>
|
<entry>invalid class</entry>
|
||||||
<entry>Match no audit
|
<entry>Match no audit events.</entry>
|
||||||
events.</entry>
|
</row>
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>nt</entry>
|
<entry>nt</entry>
|
||||||
<entry>network</entry>
|
<entry>network</entry>
|
||||||
<entry>Audit events related to network actions such as
|
<entry>Audit events related to network actions such as
|
||||||
&man.connect.2; and &man.accept.2;.</entry>
|
&man.connect.2; and &man.accept.2;.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>ot</entry>
|
<entry>ot</entry>
|
||||||
<entry>other</entry>
|
<entry>other</entry>
|
||||||
<entry>Audit miscellaneous events.</entry>
|
<entry>Audit miscellaneous events.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>pc</entry>
|
<entry>pc</entry>
|
||||||
<entry>process</entry>
|
<entry>process</entry>
|
||||||
<entry>Audit process operations such as &man.exec.3; and
|
<entry>Audit process operations such as &man.exec.3; and
|
||||||
&man.exit.3;.</entry>
|
&man.exit.3;.</entry>
|
||||||
</row>
|
</row>
|
||||||
</tbody>
|
</tbody>
|
||||||
</tgroup>
|
</tgroup>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<para>These audit event classes may be customized by modifying
|
<para>These audit event classes may be customized by modifying
|
||||||
|
|
@ -398,7 +392,7 @@ requirements. -->
|
||||||
class and type. <xref linkend="event-prefixes"/> summarizes
|
class and type. <xref linkend="event-prefixes"/> summarizes
|
||||||
the available prefixes:</para>
|
the available prefixes:</para>
|
||||||
|
|
||||||
<table xml:id="event-prefixes" frame="none" pgwide="1">
|
<table xml:id="event-prefixes" frame="none" pgwide="1">
|
||||||
<title>Prefixes for Audit Event Classes</title>
|
<title>Prefixes for Audit Event Classes</title>
|
||||||
|
|
||||||
<tgroup cols="2">
|
<tgroup cols="2">
|
||||||
|
|
@ -409,42 +403,39 @@ requirements. -->
|
||||||
</row>
|
</row>
|
||||||
</thead>
|
</thead>
|
||||||
|
|
||||||
<tbody>
|
<tbody>
|
||||||
<row>
|
<row>
|
||||||
<entry>+</entry>
|
<entry>+</entry>
|
||||||
<entry>Audit successful events in this
|
<entry>Audit successful events in this class.</entry>
|
||||||
class.</entry>
|
</row>
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>-</entry>
|
<entry>-</entry>
|
||||||
<entry>Audit failed events in this
|
<entry>Audit failed events in this class.</entry>
|
||||||
class.</entry>
|
</row>
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>^</entry>
|
<entry>^</entry>
|
||||||
<entry>Audit neither successful nor
|
<entry>Audit neither successful nor failed events in
|
||||||
failed events in this class.</entry>
|
this class.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>^+</entry>
|
<entry>^+</entry>
|
||||||
<entry>Do not audit successful events
|
<entry>Do not audit successful events in this
|
||||||
in this class.</entry>
|
class.</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>^-</entry>
|
<entry>^-</entry>
|
||||||
<entry>Do not audit failed events in
|
<entry>Do not audit failed events in this class.</entry>
|
||||||
this class.</entry>
|
</row>
|
||||||
</row>
|
</tbody>
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
</tgroup>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<para>If no prefix is present, both successful and failed instances of
|
<para>If no prefix is present, both successful and failed
|
||||||
the event will be audited.</para>
|
instances of the event will be audited.</para>
|
||||||
|
|
||||||
<para>The following example selection string selects both
|
<para>The following example selection string selects both
|
||||||
successful and failed login/logout events, but only successful
|
successful and failed login/logout events, but only successful
|
||||||
|
|
@ -456,53 +447,55 @@ requirements. -->
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>Configuration Files</title>
|
<title>Configuration Files</title>
|
||||||
|
|
||||||
<para>The following configuration files for security event auditing are found in
|
<para>The following configuration files for security event
|
||||||
<filename>/etc/security</filename>:</para>
|
auditing are found in
|
||||||
|
<filename>/etc/security</filename>:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>audit_class</filename>: contains the
|
<para><filename>audit_class</filename>: contains the
|
||||||
definitions of the audit classes.</para>
|
definitions of the audit classes.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>audit_control</filename>: controls aspects
|
<para><filename>audit_control</filename>: controls aspects
|
||||||
of the audit subsystem, such as default audit classes,
|
of the audit subsystem, such as default audit classes,
|
||||||
minimum disk space to leave on the audit log volume, and
|
minimum disk space to leave on the audit log volume, and
|
||||||
maximum audit trail size.</para>
|
maximum audit trail size.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>audit_event</filename>: textual names and
|
<para><filename>audit_event</filename>: textual names and
|
||||||
descriptions of system audit events and a list of
|
descriptions of system audit events and a list of which
|
||||||
which classes each event is in.</para>
|
classes each event is in.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>audit_user</filename>: user-specific audit
|
<para><filename>audit_user</filename>: user-specific audit
|
||||||
requirements to be combined with the global defaults at
|
requirements to be combined with the global defaults at
|
||||||
login.</para>
|
login.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>audit_warn</filename>: a customizable shell
|
<para><filename>audit_warn</filename>: a customizable shell
|
||||||
script used by &man.auditd.8; to generate warning messages
|
script used by &man.auditd.8; to generate warning messages
|
||||||
in exceptional situations, such as when space for audit
|
in exceptional situations, such as when space for audit
|
||||||
records is running low or when the audit trail file has
|
records is running low or when the audit trail file has
|
||||||
been rotated.</para>
|
been rotated.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>Audit configuration files should be edited and maintained
|
<para>Audit configuration files should be edited and
|
||||||
carefully, as errors in configuration may result in improper
|
maintained carefully, as errors in configuration may result
|
||||||
logging of events.</para>
|
in improper logging of events.</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
<para>In most cases, administrators will only need to modify
|
<para>In most cases, administrators will only need to modify
|
||||||
<filename>audit_control</filename> and <filename>audit_user</filename>.
|
<filename>audit_control</filename> and
|
||||||
The first file controls system-wide audit properties and policies and
|
<filename>audit_user</filename>. The first file controls
|
||||||
the second file may be used to fine-tune auditing by user.</para>
|
system-wide audit properties and policies and the second file
|
||||||
|
may be used to fine-tune auditing by user.</para>
|
||||||
|
|
||||||
<sect3 xml:id="audit-auditcontrol">
|
<sect3 xml:id="audit-auditcontrol">
|
||||||
<title>The <filename>audit_control</filename> File</title>
|
<title>The <filename>audit_control</filename> File</title>
|
||||||
|
|
@ -535,7 +528,8 @@ expire-after:10M</programlisting>
|
||||||
<para>The <option>flags</option> field sets the system-wide
|
<para>The <option>flags</option> field sets the system-wide
|
||||||
default preselection mask for attributable events. In the
|
default preselection mask for attributable events. In the
|
||||||
example above, successful and failed login/logout events as
|
example above, successful and failed login/logout events as
|
||||||
well as authentication and authorization are audited for all users.</para>
|
well as authentication and authorization are audited for all
|
||||||
|
users.</para>
|
||||||
|
|
||||||
<para>The <option>minfree</option> entry defines the minimum
|
<para>The <option>minfree</option> entry defines the minimum
|
||||||
percentage of free space for the file system where the audit
|
percentage of free space for the file system where the audit
|
||||||
|
|
@ -543,29 +537,27 @@ expire-after:10M</programlisting>
|
||||||
|
|
||||||
<para>The <option>naflags</option> entry specifies audit
|
<para>The <option>naflags</option> entry specifies audit
|
||||||
classes to be audited for non-attributed events, such as the
|
classes to be audited for non-attributed events, such as the
|
||||||
login/logout process and authentication and authorization.</para>
|
login/logout process and authentication and
|
||||||
|
authorization.</para>
|
||||||
|
|
||||||
<para>The <option>policy</option> entry specifies a
|
<para>The <option>policy</option> entry specifies a
|
||||||
comma-separated list of policy flags controlling various
|
comma-separated list of policy flags controlling various
|
||||||
aspects of audit behavior. The
|
aspects of audit behavior. The <literal>cnt</literal>
|
||||||
<literal>cnt</literal> indicates that the system should
|
indicates that the system should continue running despite an
|
||||||
continue running despite an auditing failure (this flag is
|
auditing failure (this flag is highly recommended). The
|
||||||
highly recommended). The other flag,
|
other flag, <literal>argv</literal>, causes command line
|
||||||
<literal>argv</literal>, causes command line arguments
|
arguments to the &man.execve.2; system call to be audited as
|
||||||
to the &man.execve.2; system call to be audited as part of
|
part of command execution.</para>
|
||||||
command execution.</para>
|
|
||||||
|
|
||||||
<para>The <option>filesz</option> entry specifies the maximum
|
<para>The <option>filesz</option> entry specifies the maximum
|
||||||
size for an audit trail before
|
size for an audit trail before automatically terminating and
|
||||||
automatically terminating and rotating the trail file. A
|
rotating the trail file. A value of <literal>0</literal>
|
||||||
value of <literal>0</literal> disables automatic log rotation. If the
|
disables automatic log rotation. If the requested file size
|
||||||
requested file size is below the minimum of 512k,
|
is below the minimum of 512k, it will be ignored and a log
|
||||||
it will be ignored and a log message will be
|
message will be generated.</para>
|
||||||
generated.</para>
|
|
||||||
|
|
||||||
<para>The <option>expire-after</option> field specifies when
|
<para>The <option>expire-after</option> field specifies when
|
||||||
audit log files will expire and be removed.</para>
|
audit log files will expire and be removed.</para>
|
||||||
|
|
||||||
</sect3>
|
</sect3>
|
||||||
|
|
||||||
<sect3 xml:id="audit-audituser">
|
<sect3 xml:id="audit-audituser">
|
||||||
|
|
@ -574,22 +566,21 @@ expire-after:10M</programlisting>
|
||||||
<para>The administrator can specify further audit requirements
|
<para>The administrator can specify further audit requirements
|
||||||
for specific users in <filename>audit_user</filename>.
|
for specific users in <filename>audit_user</filename>.
|
||||||
Each line configures auditing for a user via two fields:
|
Each line configures auditing for a user via two fields:
|
||||||
the <literal>alwaysaudit</literal> field
|
the <literal>alwaysaudit</literal> field specifies a set of
|
||||||
specifies a set of events that should always be
|
events that should always be audited for the user, and the
|
||||||
audited for the user, and the
|
<literal>neveraudit</literal> field specifies a set of
|
||||||
<literal>neveraudit</literal> field specifies a set
|
events that should never be audited for the user.</para>
|
||||||
of events that should never be audited for the user.</para>
|
|
||||||
|
|
||||||
<para>The following example entries
|
<para>The following example entries audit login/logout events
|
||||||
audit login/logout events and successful command execution
|
and successful command execution for <systemitem
|
||||||
for <systemitem class="username">root</systemitem> and
|
class="username">root</systemitem> and file creation and
|
||||||
file creation and successful command execution for
|
successful command execution for <systemitem
|
||||||
<systemitem class="username">www</systemitem>. If used with
|
class="username">www</systemitem>. If used with the
|
||||||
the default <filename>audit_control</filename>, the
|
default <filename>audit_control</filename>, the
|
||||||
<literal>lo</literal> entry for
|
<literal>lo</literal> entry for <systemitem
|
||||||
<systemitem class="username">root</systemitem> is redundant,
|
class="username">root</systemitem> is redundant, and
|
||||||
and login/logout events will also be audited for
|
login/logout events will also be audited for <systemitem
|
||||||
<systemitem class="username">www</systemitem>.</para>
|
class="username">www</systemitem>.</para>
|
||||||
|
|
||||||
<programlisting>root:lo,+ex:no
|
<programlisting>root:lo,+ex:no
|
||||||
www:fc,+ex:no</programlisting>
|
www:fc,+ex:no</programlisting>
|
||||||
|
|
@ -600,35 +591,33 @@ www:fc,+ex:no</programlisting>
|
||||||
<sect1 xml:id="audit-administration">
|
<sect1 xml:id="audit-administration">
|
||||||
<title>Working with Audit Trails</title>
|
<title>Working with Audit Trails</title>
|
||||||
|
|
||||||
<para>Since audit trails are stored in the
|
<para>Since audit trails are stored in the <acronym>BSM</acronym>
|
||||||
<acronym>BSM</acronym> binary format, several built-in tools
|
binary format, several built-in tools are available to modify or
|
||||||
are available to modify or convert these trails to text.
|
convert these trails to text. To convert trail files to a
|
||||||
To convert trail files to a simple text
|
simple text format, use <command>praudit</command>. To reduce
|
||||||
format, use <command>praudit</command>. To reduce
|
the audit trail file for analysis, archiving, or printing
|
||||||
the audit trail file for analysis, archiving, or printing
|
purposes, use <command>auditreduce</command>. This utility
|
||||||
purposes, use <command>auditreduce</command>. This utility supports a variety of selection parameters,
|
supports a variety of selection parameters, including event
|
||||||
including event type, event class, user,
|
type, event class, user, date or time of the event, and the file
|
||||||
date or time of the event, and the file path or object acted
|
path or object acted on.</para>
|
||||||
on.</para>
|
|
||||||
|
|
||||||
<para>For example, to dump the entire
|
<para>For example, to dump the entire contents of a specified
|
||||||
contents of a specified audit log in plain text:</para>
|
audit log in plain text:</para>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>praudit /var/audit/<replaceable>AUDITFILE</replaceable></userinput></screen>
|
<screen>&prompt.root; <userinput>praudit /var/audit/<replaceable>AUDITFILE</replaceable></userinput></screen>
|
||||||
|
|
||||||
<para>Where
|
<para>Where <replaceable>AUDITFILE</replaceable> is the audit log
|
||||||
<replaceable>AUDITFILE</replaceable> is
|
to dump.</para>
|
||||||
the audit log to dump.</para>
|
|
||||||
|
|
||||||
<para>Audit trails consist of a series of audit records made up
|
<para>Audit trails consist of a series of audit records made up of
|
||||||
of tokens, which <command>praudit</command> prints sequentially, one per
|
tokens, which <command>praudit</command> prints sequentially,
|
||||||
line. Each token is of a specific type, such as
|
one per line. Each token is of a specific type, such as
|
||||||
<literal>header</literal> (an audit record header) or
|
<literal>header</literal> (an audit record header) or
|
||||||
<literal>path</literal> (a file path from a name
|
<literal>path</literal> (a file path from a name lookup). The
|
||||||
lookup). The following is an example of an
|
following is an example of an
|
||||||
<literal>execve</literal> event:</para>
|
<literal>execve</literal> event:</para>
|
||||||
|
|
||||||
<programlisting>header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
|
<programlisting>header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
|
||||||
exec arg,finger,doug
|
exec arg,finger,doug
|
||||||
path,/usr/bin/finger
|
path,/usr/bin/finger
|
||||||
attribute,555,root,wheel,90,24918,104944
|
attribute,555,root,wheel,90,24918,104944
|
||||||
|
|
@ -636,72 +625,66 @@ subject,robert,root,wheel,root,wheel,38439,38032,42086,128.232.9.100
|
||||||
return,success,0
|
return,success,0
|
||||||
trailer,133</programlisting>
|
trailer,133</programlisting>
|
||||||
|
|
||||||
<para>This audit represents a successful
|
<para>This audit represents a successful
|
||||||
<literal>execve</literal> call, in which the command
|
<literal>execve</literal> call, in which the command
|
||||||
<literal>finger doug</literal> has been run. The <literal>exec arg</literal>
|
<literal>finger doug</literal> has been run. The
|
||||||
token contains the processed command line presented by
|
<literal>exec arg</literal> token contains the processed command
|
||||||
the shell to the kernel. The <literal>path</literal> token
|
line presented by the shell to the kernel. The
|
||||||
holds the path to the executable as looked up by the kernel.
|
<literal>path</literal> token holds the path to the executable
|
||||||
The <literal>attribute</literal> token describes the binary
|
as looked up by the kernel. The <literal>attribute</literal>
|
||||||
and includes the file mode. The
|
token describes the binary and includes the file mode. The
|
||||||
<literal>subject</literal> token
|
<literal>subject</literal> token stores the audit user ID,
|
||||||
stores the audit user ID, effective
|
effective user ID and group ID, real user ID and group ID,
|
||||||
user ID and group ID, real user ID and group ID, process ID,
|
process ID, session ID, port ID, and login address. Notice that
|
||||||
session ID, port ID, and login address. Notice that the audit
|
the audit user ID and real user ID differ as the user
|
||||||
user ID and real user ID differ as the user
|
<systemitem class="username">robert</systemitem> switched to the
|
||||||
<systemitem class="username">robert</systemitem> switched
|
<systemitem class="username">root</systemitem> account before
|
||||||
to the <systemitem class="username">root</systemitem> account
|
running this command, but it is audited using the original
|
||||||
before running this command, but it is audited using the
|
authenticated user. The <literal>return</literal> token
|
||||||
original authenticated user. The
|
indicates the successful execution and the
|
||||||
<literal>return</literal> token indicates the successful
|
<literal>trailer</literal> concludes the record.</para>
|
||||||
execution and the <literal>trailer</literal> concludes the
|
|
||||||
record.</para>
|
|
||||||
|
|
||||||
<para><acronym>XML</acronym> output format is also supported
|
<para><acronym>XML</acronym> output format is also supported and
|
||||||
and can be selected by including
|
can be selected by including <option>-x</option>.</para>
|
||||||
<option>-x</option>.</para>
|
|
||||||
|
|
||||||
<para>Since audit logs may be very large, a
|
<para>Since audit logs may be very large, a subset of records can
|
||||||
subset of records can be selected using
|
be selected using <command>auditreduce</command>. This example
|
||||||
<command>auditreduce</command>. This example selects all
|
selects all audit records produced for the user
|
||||||
audit records produced for the user
|
<replaceable>trhodes</replaceable> stored in
|
||||||
<replaceable>trhodes</replaceable> stored in
|
<replaceable>AUDITFILE</replaceable>:</para>
|
||||||
<replaceable>AUDITFILE</replaceable>:</para>
|
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>auditreduce -u <replaceable>trhodes</replaceable> /var/audit/<replaceable>AUDITFILE</replaceable> | praudit</userinput></screen>
|
<screen>&prompt.root; <userinput>auditreduce -u <replaceable>trhodes</replaceable> /var/audit/<replaceable>AUDITFILE</replaceable> | praudit</userinput></screen>
|
||||||
|
|
||||||
<para>Members of the
|
<para>Members of the <systemitem
|
||||||
<systemitem class="groupname">audit</systemitem> group have
|
class="groupname">audit</systemitem> group have permission to
|
||||||
permission to read audit trails in
|
read audit trails in <filename>/var/audit</filename>. By
|
||||||
<filename>/var/audit</filename>. By default, this group is
|
default, this group is empty, so only the <systemitem
|
||||||
empty, so only the
|
class="username">root</systemitem> user can read audit trails.
|
||||||
<systemitem class="username">root</systemitem> user can read
|
Users may be added to the <systemitem
|
||||||
audit trails. Users may be added to the
|
class="groupname">audit</systemitem> group in order to
|
||||||
<systemitem class="groupname">audit</systemitem> group in
|
delegate audit review rights. As the ability to track audit log
|
||||||
order to delegate audit review rights. As the
|
contents provides significant insight into the behavior of users
|
||||||
ability to track audit log contents provides significant
|
and processes, it is recommended that the delegation of audit
|
||||||
insight into the behavior of users and processes, it is
|
review rights be performed with caution.</para>
|
||||||
recommended that the delegation of audit review rights be
|
|
||||||
performed with caution.</para>
|
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>Live Monitoring Using Audit Pipes</title>
|
<title>Live Monitoring Using Audit Pipes</title>
|
||||||
|
|
||||||
<para>Audit pipes are cloning pseudo-devices
|
<para>Audit pipes are cloning pseudo-devices which allow
|
||||||
which allow applications to tap the live audit record
|
applications to tap the live audit record stream. This is
|
||||||
stream. This is primarily of interest to authors of intrusion
|
primarily of interest to authors of intrusion detection and
|
||||||
detection and system monitoring applications. However,
|
system monitoring applications. However, the audit pipe
|
||||||
the audit pipe device is a convenient way for the administrator to
|
device is a convenient way for the administrator to allow live
|
||||||
allow live monitoring without running into problems with audit
|
monitoring without running into problems with audit trail file
|
||||||
trail file ownership or log rotation interrupting the event
|
ownership or log rotation interrupting the event stream. To
|
||||||
stream. To track the live audit event stream:</para>
|
track the live audit event stream:</para>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen>
|
<screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen>
|
||||||
|
|
||||||
<para>By default, audit pipe device nodes are accessible only to
|
<para>By default, audit pipe device nodes are accessible only to
|
||||||
the <systemitem class="username">root</systemitem> user. To
|
the <systemitem class="username">root</systemitem> user. To
|
||||||
make them accessible to the members of the
|
make them accessible to the members of the <systemitem
|
||||||
<systemitem class="groupname">audit</systemitem> group, add a
|
class="groupname">audit</systemitem> group, add a
|
||||||
<literal>devfs</literal> rule to
|
<literal>devfs</literal> rule to
|
||||||
<filename>/etc/devfs.rules</filename>:</para>
|
<filename>/etc/devfs.rules</filename>:</para>
|
||||||
|
|
||||||
|
|
@ -714,12 +697,14 @@ trailer,133</programlisting>
|
||||||
<para>It is easy to produce audit event feedback cycles, in
|
<para>It is easy to produce audit event feedback cycles, in
|
||||||
which the viewing of each audit event results in the
|
which the viewing of each audit event results in the
|
||||||
generation of more audit events. For example, if all
|
generation of more audit events. For example, if all
|
||||||
network <acronym>I/O</acronym> is audited, and <command>praudit</command> is run from an
|
network <acronym>I/O</acronym> is audited, and
|
||||||
<acronym>SSH</acronym> session, a continuous stream of audit events will
|
<command>praudit</command> is run from an
|
||||||
be generated at a high rate, as each event being printed
|
<acronym>SSH</acronym> session, a continuous stream of audit
|
||||||
will generate another event. For this reason, it is advisable to run
|
events will be generated at a high rate, as each event being
|
||||||
<command>praudit</command> on an audit pipe device from sessions
|
printed will generate another event. For this reason, it is
|
||||||
without fine-grained <acronym>I/O</acronym> auditing.</para>
|
advisable to run <command>praudit</command> on an audit pipe
|
||||||
|
device from sessions without fine-grained
|
||||||
|
<acronym>I/O</acronym> auditing.</para>
|
||||||
</warning>
|
</warning>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
|
|
@ -740,9 +725,8 @@ trailer,133</programlisting>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>audit -n</userinput></screen>
|
<screen>&prompt.root; <userinput>audit -n</userinput></screen>
|
||||||
|
|
||||||
<para>If &man.auditd.8; is not currently running, this
|
<para>If &man.auditd.8; is not currently running, this command
|
||||||
command will fail and an error message will be
|
will fail and an error message will be produced.</para>
|
||||||
produced.</para>
|
|
||||||
|
|
||||||
<para>Adding the following line to
|
<para>Adding the following line to
|
||||||
<filename>/etc/crontab</filename> will schedule this rotation
|
<filename>/etc/crontab</filename> will schedule this rotation
|
||||||
|
|
@ -765,8 +749,8 @@ trailer,133</programlisting>
|
||||||
customized operations for a variety of audit-related events,
|
customized operations for a variety of audit-related events,
|
||||||
including the clean termination of audit trails when they are
|
including the clean termination of audit trails when they are
|
||||||
rotated. For example, the following may be added to
|
rotated. For example, the following may be added to
|
||||||
<filename>/etc/security/audit_warn</filename> to compress audit
|
<filename>/etc/security/audit_warn</filename> to compress
|
||||||
trails on close:</para>
|
audit trails on close:</para>
|
||||||
|
|
||||||
<programlisting>#
|
<programlisting>#
|
||||||
# Compress audit trail files on close.
|
# Compress audit trail files on close.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue