diff --git a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml index 6e8eba549d..8e1b239c0a 100644 --- a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml @@ -216,7 +216,7 @@ requirements. --> Audit Configuration All configuration files for security audit are found in - /etc/security. The following + /etc/security. The following files must be present before the audit daemon is started: @@ -246,7 +246,7 @@ requirements. --> audit_warn - A customizable shell script - used by auditd to generate warning messages in exceptional + used by auditd to generate warning messages in exceptional situations, such as when space for audit records is running low or when the audit trail file has been rotated. @@ -275,29 +275,29 @@ requirements. --> - - all - Match all + all - all - Match all event classes. - - administrative + ad - administrative - Administrative actions performed on the system as a whole. - - application - + ap - application - Application defined action. - - file_close - + cl - file close - Audit calls to the close system call. - - exec - Audit + ex - exec - Audit program execution. Auditing of command line arguments and environmental variables is controlled via &man.audit.control.5; using the argv and envv @@ -305,80 +305,80 @@ requirements. --> - - file_attr_acc + fa - file attribute access - Audit the access of object attributes such as &man.stat.1;, &man.pathconf.2; and similar events. - - file_creation + fc - file create - Audit events where a file is created as a result. - - file_deletion + fd - file delete - Audit events where file deletion occurs. - - file_attr_mod + fm - file attribute modify - Audit events where file attribute modification occurs, such as &man.chown.8;, &man.chflags.1;, &man.flock.2;, etc. - - file_read + fr - file read - Audit events in which data is read, files are opened for reading, etc. - - file_write - + fw - file write - Audit events in which data is written, files are written or modified, etc. - - ioctl - Audit + io - ioctl - Audit use of the &man.ioctl.2; system call. - - ipc - Audit + ip - ipc - Audit various forms of Inter-Process Communication, including POSIX pipes and System V IPC operations. - - login_logout - + lo - login_logout - Audit &man.login.1; and &man.logout.1; events occurring on the system. - - non_attrib - + na - non attributable - Audit non-attributable events. - - no_class - + no - invalid class - Match no audit events. - - network - + nt - network - Audit events related to network actions, such as &man.connect.2; and &man.accept.2;. - - other - + ot - other - Audit miscellaneous events. - - process - + pc - process - Audit process operations, such as &man.exec.3; and &man.exit.3;. @@ -416,12 +416,12 @@ requirements. --> - ^+ Don't audit successful events in this + ^+ Do not audit successful events in this class. - ^- Don't audit failed events in this + ^- Do not audit failed events in this class. @@ -487,7 +487,7 @@ filesz:0 the system should continue running despite an auditing failure (this flag is highly recommended). Another commonly used flag is argv, which causes command line arguments to - the &man.execve.2; system call to audited as part of command + the &man.execve.2; system call to be audited as part of command execution. The option specifies the maximum size @@ -513,12 +513,12 @@ filesz:0 The following example audit_user file audits login/logout events and successful command execution for - the root user, and audits file creation and successful command - execution for the www user. + the root user, and audits file creation and successful command + execution for the www user. If used with the example audit_control file - above, the lo entry for root + above, the lo entry for root is redundant, and login/logout events will also be audited for the - www user. + www user. root:lo,+ex:no www:fc,+ex:no @@ -534,9 +534,9 @@ www:fc,+ex:no Viewing Audit Trails Audit trails are stored in the BSM binary format, so tools must - be used to modify or convert to text. The praudit - command convert trail files to a simple text format; the - auditreduce command may be used to reduce the + be used to modify or convert to text. The &man.praudit.1; + command converts trail files to a simple text format; the + &man.auditreduce.1; command may be used to reduce the audit trail file for analysis, archiving, or printing purposes. auditreduce supports a variety of selection parameters, including event type, event class, user, date or time of @@ -547,7 +547,7 @@ www:fc,+ex:no &prompt.root; praudit /var/audit/AUDITFILE - Where AUDITFILE is the audit log to + Where AUDITFILE is the audit log to dump. Audit trails consist of a series of audit records made up of @@ -569,18 +569,18 @@ trailer,133 This audit represents a successful execve call, in which the command finger doug has been run. The arguments token contains both the processed command line presented - by the shell to the kernel. The path token holds the path to the - executable as looked up by the kernel. The attribute token + by the shell to the kernel. The path token holds the path to the + executable as looked up by the kernel. The attribute token describes the binary, and in particular, includes the file mode which can be used to determine if the application was setuid. - The subject token describes the subject process, and stores in + The subject token describes the subject process, and stores in sequence the audit user ID, effective user ID and group ID, real user ID and group ID, process ID, session ID, port ID, and login address. Notice that the audit user ID and real user ID differ: - the user robert has switched to the - root account before running this command, but + the user robert has switched to the + root account before running this command, but it is audited using the original authenticated user. Finally, the - return token indicates the successful execution, and the trailer + return token indicates the successful execution, and the trailer concludes the record. @@ -622,7 +622,7 @@ trailer,133 audit pipe device is a convenient way to allow live monitoring without running into problems with audit trail file ownership or log rotation interrupting the event stream. To track the live audit - event stream, use the following command line + event stream, use the following command line: &prompt.root; praudit /dev/auditpipe @@ -640,10 +640,10 @@ trailer,133 It is easy to produce audit event feedback cycles, in which the viewing of each audit event results in the generation of more audit events. For example, if all network I/O is audited, and - praudit is run from an SSH session, then a continuous stream of + &man.praudit.1; is run from an SSH session, then a continuous stream of audit events will be generated at a high rate, as each event being printed will generate another event. It is advisable to run - praudit on an audit pipe device from sessions without fine-grained + praudit on an audit pipe device from sessions without fine-grained I/O auditing in order to avoid this happening.