Update audit handbook chapter:
- Clean up a few more phrasing nits. - Extend sections on audit_control to document filesz and policy entries, and to specifically mention argv, envv, and cnt policy flags. This brings the audit documentation up-to-date for OpenBSM 1.0 alpha 12. Obtained from: TrustedBSD Project
This commit is contained in:
Robert Watson
parent
3a22779fc0
commit
b6389e9431
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=28744
1 changed files with 33 additions and 12 deletions
|
|
@ -122,8 +122,8 @@ requirements. -->
|
|||
<para><emphasis>event</emphasis>: An auditable event is any event
|
||||
that can be logged using the audit subsystem.
|
||||
Examples of security-relevant events include the creation of
|
||||
a file, the building of a network connection, or the logging
|
||||
in of a user. Events are either <quote>attributable</quote>,
|
||||
a file, the building of a network connection, or a user logging in.
|
||||
Events are either <quote>attributable</quote>,
|
||||
meaning that they can be traced to an authenticated user, or
|
||||
<quote>non-attributable</quote> if they cannot be.
|
||||
Examples of non-attributable events are any events that occur
|
||||
|
|
@ -163,9 +163,9 @@ requirements. -->
|
|||
|
||||
<listitem>
|
||||
<para><emphasis>preselection</emphasis>: The process by which the
|
||||
system identifies which events are of interest in order to avoid
|
||||
generating audit records describing events that are not of
|
||||
interest to the administrator. The preselection configuration
|
||||
system identifies which events are of interest to the administrator
|
||||
in order to avoid generating audit records describing events that
|
||||
are not of interest. The preselection configuration
|
||||
uses a series of selection expressions to identify which classes
|
||||
of events to audit for which users, as well as global settings
|
||||
that apply to both authenticated and unauthenticated
|
||||
|
|
@ -189,9 +189,9 @@ requirements. -->
|
|||
<title>Installing Audit Support</title>
|
||||
|
||||
<para>User space support for Event Auditing is installed as part of the
|
||||
base &os; operating as of 6.2-RELEASE. However, kernel support for
|
||||
Event Auditing must also be configured, which is done by adding the
|
||||
following lines to the local configuration file:</para>
|
||||
base &os; operating as of 6.2-RELEASE. However, Event Auditing support
|
||||
must be explicitly compiled into the kernel by adding the following
|
||||
lines to the kernel configuration file:</para>
|
||||
|
||||
<programlisting>options AUDIT</programlisting>
|
||||
|
||||
|
|
@ -228,7 +228,7 @@ requirements. -->
|
|||
<para><filename>audit_control</filename> - Controls aspects
|
||||
of the audit subsystem, such as default audit classes,
|
||||
minimum disk space to leave on the audit log volume,
|
||||
etc.</para>
|
||||
maximum audit trail size, etc.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
|
@ -238,7 +238,7 @@ requirements. -->
|
|||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>audit_user</filename> - Any user-specific audit
|
||||
<para><filename>audit_user</filename> - User-specific audit
|
||||
requirements, which are combined with the global defaults at
|
||||
login.</para>
|
||||
</listitem>
|
||||
|
|
@ -297,7 +297,10 @@ requirements. -->
|
|||
|
||||
<listitem>
|
||||
<para><option>ex</option> - <literal>exec</literal> - Audit
|
||||
program or utility execution.</para>
|
||||
program execution. Auditing of command line arguments and
|
||||
environmental variables is controlled via &man.audit.control.5;
|
||||
using the <literal>argv</literal> and <literal>envv</literal>
|
||||
parameters to the <literal>policy</literal> setting.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
|
@ -450,7 +453,9 @@ requirements. -->
|
|||
<programlisting>dir:/var/audit
|
||||
flags:lo
|
||||
minfree:20
|
||||
naflags:lo</programlisting>
|
||||
naflags:lo
|
||||
policy:cnt
|
||||
filesz:0</programlisting>
|
||||
|
||||
<para>The <option>dir</option> option is used to set one or more
|
||||
directories where audit logs will be stored. If more than one
|
||||
|
|
@ -474,6 +479,22 @@ naflags:lo</programlisting>
|
|||
<para>The <option>naflags</option> option specifies audit classes to
|
||||
be audited for non-attributed events, such as the login process
|
||||
and system daemons.</para>
|
||||
|
||||
<para>The <option>policy</option> option specifies a comma-separated
|
||||
list of policy flags controlling various aspects of audit
|
||||
behavior. The default <literal>cnt</literal> flag indicates that
|
||||
the system should continue running despite an auditing failure
|
||||
(this flag is highly recommended). Another commonly used flag is
|
||||
<literal>argv</literal>, which causes command line arguments to
|
||||
the &man.execve.2; system call to audited as part of command
|
||||
execution.</para>
|
||||
|
||||
<para>The <option>filesz</option> option specifies the maximum size
|
||||
in bytes to allow an audit trail file to grow to before
|
||||
automatically terminating and rotating the trail file. The
|
||||
default, 0, disables automatic log rotation. If the requested
|
||||
file size is non-zero and below the minimum 512k, it will be
|
||||
ignored and a log message will be generated.</para>
|
||||
</sect3>
|
||||
|
||||
<sect3 id="audit-audituser">
|
||||
|
|
|
|||
Loading…
Reference in a new issue