Whitespace-only fixes, translators please ignore.
This commit is contained in:
Warren Block
parent
29e20c7dfa
commit
ca45fcb5d3
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=43688
1 changed files with 71 additions and 49 deletions
|
|
@ -9,16 +9,32 @@ And the /dev/audit special file if we choose to support that. Could use
|
|||
some coverage of integrating MAC with Event auditing and perhaps discussion
|
||||
on how some companies or organizations handle auditing and auditing
|
||||
requirements. -->
|
||||
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="audit">
|
||||
<info><title>Security Event Auditing</title>
|
||||
|
||||
<chapter xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
||||
xml:id="audit">
|
||||
|
||||
<info>
|
||||
<title>Security Event Auditing</title>
|
||||
|
||||
<authorgroup>
|
||||
<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author>
|
||||
<author><personname><firstname>Robert</firstname><surname>Watson</surname></personname></author>
|
||||
<author>
|
||||
<personname>
|
||||
<firstname>Tom</firstname>
|
||||
<surname>Rhodes</surname>
|
||||
</personname>
|
||||
<contrib>Written by </contrib>
|
||||
</author>
|
||||
|
||||
<author>
|
||||
<personname>
|
||||
<firstname>Robert</firstname>
|
||||
<surname>Watson</surname>
|
||||
</personname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
</info>
|
||||
|
||||
|
||||
|
||||
<sect1 xml:id="audit-synopsis">
|
||||
<title>Synopsis</title>
|
||||
|
||||
|
|
@ -189,8 +205,8 @@ requirements. -->
|
|||
|
||||
<programlisting>options AUDIT</programlisting>
|
||||
|
||||
<para>Rebuild and reinstall
|
||||
the kernel via the normal process explained in <xref linkend="kernelconfig"/>.</para>
|
||||
<para>Rebuild and reinstall the kernel via the normal process
|
||||
explained in <xref linkend="kernelconfig"/>.</para>
|
||||
|
||||
<para>Once an audit-enabled kernel is built, installed, and the
|
||||
system has been rebooted, enable the audit daemon by adding the
|
||||
|
|
@ -208,9 +224,8 @@ requirements. -->
|
|||
<title>Audit Configuration</title>
|
||||
|
||||
<para>All configuration files for security audit are found in
|
||||
<filename>/etc/security</filename>. The
|
||||
following files must be present before the audit daemon is
|
||||
started:</para>
|
||||
<filename>/etc/security</filename>. The following files must be
|
||||
present before the audit daemon is started:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
|
@ -257,13 +272,13 @@ requirements. -->
|
|||
|
||||
<para>Selection expressions are used in a number of places in
|
||||
the audit configuration to determine which events should be
|
||||
audited. Expressions contain a list of event classes to match,
|
||||
each with a prefix indicating whether matching records should
|
||||
be accepted or ignored, and optionally to indicate if the
|
||||
entry is intended to match successful or failed operations.
|
||||
Selection expressions are evaluated from left to right, and
|
||||
two expressions are combined by appending one onto the
|
||||
other.</para>
|
||||
audited. Expressions contain a list of event classes to
|
||||
match, each with a prefix indicating whether matching records
|
||||
should be accepted or ignored, and optionally to indicate if
|
||||
the entry is intended to match successful or failed
|
||||
operations. Selection expressions are evaluated from left to
|
||||
right, and two expressions are combined by appending one onto
|
||||
the other.</para>
|
||||
|
||||
<para>The following list contains the default audit event
|
||||
classes present in <filename>audit_class</filename>:</para>
|
||||
|
|
@ -478,9 +493,9 @@ filesz:0</programlisting>
|
|||
will be generated. The above example sets the minimum free
|
||||
space to twenty percent.</para>
|
||||
|
||||
<para>The <option>naflags</option> entry specifies audit classes
|
||||
to be audited for non-attributed events, such as the login
|
||||
process and system daemons.</para>
|
||||
<para>The <option>naflags</option> entry specifies audit
|
||||
classes to be audited for non-attributed events, such as the
|
||||
login process and system daemons.</para>
|
||||
|
||||
<para>The <option>policy</option> entry specifies a
|
||||
comma-separated list of policy flags controlling various
|
||||
|
|
@ -514,13 +529,14 @@ filesz:0</programlisting>
|
|||
of events that should never be audited for the user.</para>
|
||||
|
||||
<para>The following example <filename>audit_user</filename>
|
||||
audits login/logout events and successful command
|
||||
execution for <systemitem class="username">root</systemitem>, and audits
|
||||
file creation and successful command execution for
|
||||
<systemitem class="username">www</systemitem>. If used with the above example
|
||||
<filename>audit_control</filename>, the
|
||||
<literal>lo</literal> entry for <systemitem class="username">root</systemitem> is
|
||||
redundant, and login/logout events will also be audited for
|
||||
audits login/logout events and successful command execution
|
||||
for <systemitem class="username">root</systemitem>, and
|
||||
audits file creation and successful command execution for
|
||||
<systemitem class="username">www</systemitem>. If used with
|
||||
the above example <filename>audit_control</filename>, the
|
||||
<literal>lo</literal> entry for
|
||||
<systemitem class="username">root</systemitem> is redundant,
|
||||
and login/logout events will also be audited for
|
||||
<systemitem class="username">www</systemitem>.</para>
|
||||
|
||||
<programlisting>root:lo,+ex:no
|
||||
|
|
@ -541,9 +557,9 @@ www:fc,+ex:no</programlisting>
|
|||
format; the &man.auditreduce.1; command may be used to reduce
|
||||
the audit trail file for analysis, archiving, or printing
|
||||
purposes. A variety of selection parameters are supported by
|
||||
&man.auditreduce.1;, including event type, event class,
|
||||
user, date or time of the event, and the file path or object
|
||||
acted on.</para>
|
||||
&man.auditreduce.1;, including event type, event class, user,
|
||||
date or time of the event, and the file path or object acted
|
||||
on.</para>
|
||||
|
||||
<para>For example, &man.praudit.1; will dump the entire
|
||||
contents of a specified audit log in plain text:</para>
|
||||
|
|
@ -584,12 +600,13 @@ trailer,133</programlisting>
|
|||
user ID and group ID, real user ID and group ID, process ID,
|
||||
session ID, port ID, and login address. Notice that the audit
|
||||
user ID and real user ID differ: the user
|
||||
<systemitem class="username">robert</systemitem> has switched to the
|
||||
<systemitem class="username">root</systemitem> account before running this command,
|
||||
but it is audited using the original authenticated user.
|
||||
Finally, the <literal>return</literal> token indicates the
|
||||
successful execution, and the <literal>trailer</literal>
|
||||
concludes the record.</para>
|
||||
<systemitem class="username">robert</systemitem> has switched
|
||||
to the <systemitem class="username">root</systemitem> account
|
||||
before running this command, but it is audited using the
|
||||
original authenticated user. Finally, the
|
||||
<literal>return</literal> token indicates the successful
|
||||
execution, and the <literal>trailer</literal> concludes the
|
||||
record.</para>
|
||||
|
||||
<para><acronym>XML</acronym> output format is also supported by
|
||||
&man.praudit.1;, and can be selected using
|
||||
|
|
@ -613,15 +630,19 @@ trailer,133</programlisting>
|
|||
<sect2>
|
||||
<title>Delegating Audit Review Rights</title>
|
||||
|
||||
<para>Members of the <systemitem class="groupname">audit</systemitem> group are
|
||||
given permission to read audit trails in <filename>/var/audit</filename>; by default, this
|
||||
group is empty, so only the <systemitem class="username">root</systemitem> user
|
||||
may read audit trails. Users may be added to the
|
||||
<systemitem class="groupname">audit</systemitem> group in order to delegate audit
|
||||
review rights to the user. As the ability to track audit log
|
||||
contents provides significant insight into the behavior of
|
||||
users and processes, it is recommended that the delegation of
|
||||
audit review rights be performed with caution.</para>
|
||||
<para>Members of the
|
||||
<systemitem class="groupname">audit</systemitem> group are
|
||||
given permission to read audit trails in
|
||||
<filename>/var/audit</filename>; by default, this group is
|
||||
empty, so only the
|
||||
<systemitem class="username">root</systemitem> user may read
|
||||
audit trails. Users may be added to the
|
||||
<systemitem class="groupname">audit</systemitem> group in
|
||||
order to delegate audit review rights to the user. As the
|
||||
ability to track audit log contents provides significant
|
||||
insight into the behavior of users and processes, it is
|
||||
recommended that the delegation of audit review rights be
|
||||
performed with caution.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
|
|
@ -640,9 +661,10 @@ trailer,133</programlisting>
|
|||
<screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen>
|
||||
|
||||
<para>By default, audit pipe device nodes are accessible only to
|
||||
the <systemitem class="username">root</systemitem> user. To make them accessible
|
||||
to the members of the <systemitem class="groupname">audit</systemitem> group, add
|
||||
a <literal>devfs</literal> rule to
|
||||
the <systemitem class="username">root</systemitem> user. To
|
||||
make them accessible to the members of the
|
||||
<systemitem class="groupname">audit</systemitem> group, add a
|
||||
<literal>devfs</literal> rule to
|
||||
<filename>devfs.rules</filename>:</para>
|
||||
|
||||
<programlisting>add path 'auditpipe*' mode 0440 group audit</programlisting>
|
||||
|
|
|
|||
Loading…
Reference in a new issue