os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Whitespace-only fixes, translators please ignore.

Browse source
This commit is contained in:
Warren Block 2014-01-30 05:46:42 +00:00
parent 29e20c7dfa
commit ca45fcb5d3
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43688
1 changed files with 71 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

120
en_US.ISO8859-1/books/handbook/audit/chapter.xml
View file

@ -9,16 +9,32 @@ And the /dev/audit special file if we choose to support that. Could use
some coverage of integrating MAC with Event auditing and perhaps discussion some coverage of integrating MAC with Event auditing and perhaps discussion
on how some companies or organizations handle auditing and auditing on how some companies or organizations handle auditing and auditing
requirements. --> requirements. -->
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="audit">
<info><title>Security Event Auditing</title> <chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="audit">
<info>
<title>Security Event Auditing</title>
<authorgroup> <authorgroup>
<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author> <author>
<author><personname><firstname>Robert</firstname><surname>Watson</surname></personname></author> <personname>
<firstname>Tom</firstname>
<surname>Rhodes</surname>
</personname>
<contrib>Written by </contrib>
</author>
<author>
<personname>
<firstname>Robert</firstname>
<surname>Watson</surname>
</personname>
</author>
</authorgroup> </authorgroup>
</info> </info>
<sect1 xml:id="audit-synopsis"> <sect1 xml:id="audit-synopsis">
<title>Synopsis</title> <title>Synopsis</title>
@ -189,8 +205,8 @@ requirements. -->
<programlisting>options AUDIT</programlisting> <programlisting>options AUDIT</programlisting>
<para>Rebuild and reinstall <para>Rebuild and reinstall the kernel via the normal process
the kernel via the normal process explained in <xref linkend="kernelconfig"/>.</para> explained in <xref linkend="kernelconfig"/>.</para>
<para>Once an audit-enabled kernel is built, installed, and the <para>Once an audit-enabled kernel is built, installed, and the
system has been rebooted, enable the audit daemon by adding the system has been rebooted, enable the audit daemon by adding the
@ -208,9 +224,8 @@ requirements. -->
<title>Audit Configuration</title> <title>Audit Configuration</title>
<para>All configuration files for security audit are found in <para>All configuration files for security audit are found in
<filename>/etc/security</filename>. The <filename>/etc/security</filename>. The following files must be
following files must be present before the audit daemon is present before the audit daemon is started:</para>
started:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -257,13 +272,13 @@ requirements. -->
<para>Selection expressions are used in a number of places in <para>Selection expressions are used in a number of places in
the audit configuration to determine which events should be the audit configuration to determine which events should be
audited. Expressions contain a list of event classes to match, audited. Expressions contain a list of event classes to
each with a prefix indicating whether matching records should match, each with a prefix indicating whether matching records
be accepted or ignored, and optionally to indicate if the should be accepted or ignored, and optionally to indicate if
entry is intended to match successful or failed operations. the entry is intended to match successful or failed
Selection expressions are evaluated from left to right, and operations. Selection expressions are evaluated from left to
two expressions are combined by appending one onto the right, and two expressions are combined by appending one onto
other.</para> the other.</para>
<para>The following list contains the default audit event <para>The following list contains the default audit event
classes present in <filename>audit_class</filename>:</para> classes present in <filename>audit_class</filename>:</para>
@ -478,9 +493,9 @@ filesz:0</programlisting>
will be generated. The above example sets the minimum free will be generated. The above example sets the minimum free
space to twenty percent.</para> space to twenty percent.</para>
<para>The <option>naflags</option> entry specifies audit classes <para>The <option>naflags</option> entry specifies audit
to be audited for non-attributed events, such as the login classes to be audited for non-attributed events, such as the
process and system daemons.</para> login process and system daemons.</para>
<para>The <option>policy</option> entry specifies a <para>The <option>policy</option> entry specifies a
comma-separated list of policy flags controlling various comma-separated list of policy flags controlling various
@ -514,13 +529,14 @@ filesz:0</programlisting>
of events that should never be audited for the user.</para> of events that should never be audited for the user.</para>
<para>The following example <filename>audit_user</filename> <para>The following example <filename>audit_user</filename>
audits login/logout events and successful command audits login/logout events and successful command execution
execution for <systemitem class="username">root</systemitem>, and audits for <systemitem class="username">root</systemitem>, and
file creation and successful command execution for audits file creation and successful command execution for
<systemitem class="username">www</systemitem>. If used with the above example <systemitem class="username">www</systemitem>. If used with
<filename>audit_control</filename>, the the above example <filename>audit_control</filename>, the
<literal>lo</literal> entry for <systemitem class="username">root</systemitem> is <literal>lo</literal> entry for
redundant, and login/logout events will also be audited for <systemitem class="username">root</systemitem> is redundant,
and login/logout events will also be audited for
<systemitem class="username">www</systemitem>.</para> <systemitem class="username">www</systemitem>.</para>
<programlisting>root:lo,+ex:no <programlisting>root:lo,+ex:no
@ -541,9 +557,9 @@ www:fc,+ex:no</programlisting>
format; the &man.auditreduce.1; command may be used to reduce format; the &man.auditreduce.1; command may be used to reduce
the audit trail file for analysis, archiving, or printing the audit trail file for analysis, archiving, or printing
purposes. A variety of selection parameters are supported by purposes. A variety of selection parameters are supported by
&man.auditreduce.1;, including event type, event class, &man.auditreduce.1;, including event type, event class, user,
user, date or time of the event, and the file path or object date or time of the event, and the file path or object acted
acted on.</para> on.</para>
<para>For example, &man.praudit.1; will dump the entire <para>For example, &man.praudit.1; will dump the entire
contents of a specified audit log in plain text:</para> contents of a specified audit log in plain text:</para>
@ -584,12 +600,13 @@ trailer,133</programlisting>
user ID and group ID, real user ID and group ID, process ID, user ID and group ID, real user ID and group ID, process ID,
session ID, port ID, and login address. Notice that the audit session ID, port ID, and login address. Notice that the audit
user ID and real user ID differ: the user user ID and real user ID differ: the user
<systemitem class="username">robert</systemitem> has switched to the <systemitem class="username">robert</systemitem> has switched
<systemitem class="username">root</systemitem> account before running this command, to the <systemitem class="username">root</systemitem> account
but it is audited using the original authenticated user. before running this command, but it is audited using the
Finally, the <literal>return</literal> token indicates the original authenticated user. Finally, the
successful execution, and the <literal>trailer</literal> <literal>return</literal> token indicates the successful
concludes the record.</para> execution, and the <literal>trailer</literal> concludes the
record.</para>
<para><acronym>XML</acronym> output format is also supported by <para><acronym>XML</acronym> output format is also supported by
&man.praudit.1;, and can be selected using &man.praudit.1;, and can be selected using
@ -613,15 +630,19 @@ trailer,133</programlisting>
<sect2> <sect2>
<title>Delegating Audit Review Rights</title> <title>Delegating Audit Review Rights</title>
<para>Members of the <systemitem class="groupname">audit</systemitem> group are <para>Members of the
given permission to read audit trails in <filename>/var/audit</filename>; by default, this <systemitem class="groupname">audit</systemitem> group are
group is empty, so only the <systemitem class="username">root</systemitem> user given permission to read audit trails in
may read audit trails. Users may be added to the <filename>/var/audit</filename>; by default, this group is
<systemitem class="groupname">audit</systemitem> group in order to delegate audit empty, so only the
review rights to the user. As the ability to track audit log <systemitem class="username">root</systemitem> user may read
contents provides significant insight into the behavior of audit trails. Users may be added to the
users and processes, it is recommended that the delegation of <systemitem class="groupname">audit</systemitem> group in
audit review rights be performed with caution.</para> order to delegate audit review rights to the user. As the
ability to track audit log contents provides significant
insight into the behavior of users and processes, it is
recommended that the delegation of audit review rights be
performed with caution.</para>
</sect2> </sect2>
<sect2> <sect2>
@ -640,9 +661,10 @@ trailer,133</programlisting>
<screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen> <screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen>
<para>By default, audit pipe device nodes are accessible only to <para>By default, audit pipe device nodes are accessible only to
the <systemitem class="username">root</systemitem> user. To make them accessible the <systemitem class="username">root</systemitem> user. To
to the members of the <systemitem class="groupname">audit</systemitem> group, add make them accessible to the members of the
a <literal>devfs</literal> rule to <systemitem class="groupname">audit</systemitem> group, add a
<literal>devfs</literal> rule to
<filename>devfs.rules</filename>:</para> <filename>devfs.rules</filename>:</para>
<programlisting>add path 'auditpipe*' mode 0440 group audit</programlisting> <programlisting>add path 'auditpipe*' mode 0440 group audit</programlisting>