Various fixes and cleanups. Adaption of the preface to mention
that audit is only a part of CURRENT at the moment. The 'tf' audit class removed on rwatson's advice.
This commit is contained in:
Christian Brueffer
parent
77c302b9d9
commit
ce2b9149f8
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=27022
1 changed files with 22 additions and 19 deletions
|
|
@ -11,7 +11,7 @@ reworded. The sections in question are marked with 'PROTOTYPE' labels in
|
|||
commentary.
|
||||
-->
|
||||
|
||||
<!-- Need more documenation on praudit, audtreduce, etc. Plus more info
|
||||
<!-- Need more documentation on praudit, auditreduce, etc. Plus more info
|
||||
on the triggers from the kernel (log rotation, out of space, etc).
|
||||
And the /dev/audit special file if we choose to support that. Could use
|
||||
some coverage of integrating MAC with Event auditing and perhaps discussion
|
||||
|
|
@ -40,12 +40,20 @@ requirements. -->
|
|||
<see>MAC</see>
|
||||
</indexterm>
|
||||
|
||||
<para>The &os; 6.0 operating system release has included
|
||||
<para>The &os; 7-CURRENT development branch includes
|
||||
support for Event Auditing based on the &posix;.1e draft and
|
||||
the &sun; <acronym>BSM</acronym> implementation. Event auditing
|
||||
permits the selective logging of security-relevant system events
|
||||
for the purposes of system analysis, system monitoring, and
|
||||
security evaluation.</para>
|
||||
security evaluation. After some settling time in &os; 7-CURRENT,
|
||||
this support will be merged to &os; 6-STABLE and appear
|
||||
in subsequent releases.</para>
|
||||
|
||||
<warning>
|
||||
<para>The audit facility in FreeBSD is considered experimental, and
|
||||
production deployment should occur only after careful consideration
|
||||
of the risks of deploying experimental software.</para>
|
||||
</warning>
|
||||
|
||||
<para>This chapter will focus mainly on the installation and
|
||||
configuration of Event Auditing. Explanation of audit policies,
|
||||
|
|
@ -325,11 +333,6 @@ requirements. -->
|
|||
Audit process operations, such as &man.exec.3; and
|
||||
&man.exit.3;.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><option>tf</option> - <literal>tfm</literal> -
|
||||
I HAVE NO CLUE!</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Following is a list of all supported audit prefixes:</para>
|
||||
|
|
@ -391,7 +394,7 @@ requirements. -->
|
|||
<sect3 id="audit-auditcontrol">
|
||||
<title>The <filename>audit_control</filename> File</title>
|
||||
|
||||
<para>The <filename>audit_control</filename> contains some basic
|
||||
<para>The <filename>audit_control</filename> file contains some basic
|
||||
defaults that the administrator may wish to modify. Perhaps
|
||||
even set some new ones. Viewing the contents of this file,
|
||||
we see the following:</para>
|
||||
|
|
@ -401,14 +404,14 @@ flags:lo,ad,-all,^-fa,^-fc,^-cl
|
|||
minfree:20
|
||||
naflags:lo</programlisting>
|
||||
|
||||
<para>The <option>dir</option> is used to set the default
|
||||
<para>The <option>dir</option> option is used to set the default
|
||||
directory where audit logs are stored.</para>
|
||||
|
||||
<para>The <option>flags</option> is used to set the system-wide
|
||||
defaults. The current setting,
|
||||
<para>The <option>flags</option> option is used to set the
|
||||
system-wide defaults. The current setting,
|
||||
<option>lo,ad,-all,^-fa,^-fc,^-cl</option> audits all system
|
||||
&man.login.1; and &man.logout.1; actions, all administrator
|
||||
actions, all failed events in the system, and finally disable
|
||||
actions, all failed events in the system, and finally disables
|
||||
auditing of failed attempts for <option>fa</option>,
|
||||
<option>fc</option>, and <option>cl</option>. Even though
|
||||
the <option>-all</option> turned on the auditing of all
|
||||
|
|
@ -440,8 +443,8 @@ naflags:lo</programlisting>
|
|||
<sect3 id="audit-audituser">
|
||||
<title>The <filename>audit_user</filename> File</title>
|
||||
|
||||
<para>The <filename>audit_user</filename> permits the
|
||||
administrator to map audit specific events to directly
|
||||
<para>The <filename>audit_user</filename> file permits the
|
||||
administrator to map audit specific events directly
|
||||
to users. This adds a finer-grained control mechanism
|
||||
for all system users.</para>
|
||||
|
||||
|
|
@ -459,7 +462,7 @@ audit:fc:no</programlisting>
|
|||
other auditing for the <username>audit</username>
|
||||
user. While event auditing does not require a special
|
||||
user exist, some configurations, specifically environments
|
||||
making use of <acronym>MAC</acronym> may require it.</para>
|
||||
making use of <acronym>MAC</acronym>, may require it.</para>
|
||||
</sect3>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
|
@ -469,14 +472,14 @@ audit:fc:no</programlisting>
|
|||
|
||||
<para>Events from the <command>auditd</command> daemon cannot
|
||||
be altered or read in plain text. Data is stored and accessed
|
||||
in a method similar to that of &man.ktrace.1; and &man.kdump.1,
|
||||
in a method similar to that of &man.ktrace.1; and &man.kdump.1;,
|
||||
that is, they may only be viewed by dumping them using the
|
||||
<command>praudit</command> or <command>auditreduce</command>
|
||||
utilities.</para>
|
||||
|
||||
<para>There are two utilities because of different requirements.
|
||||
For example, the <command>praudit</command> will dump the entire
|
||||
contents of a specified audit log in plain text. To dump an
|
||||
For example, the <command>praudit</command> utility will dump the
|
||||
entire contents of a specified audit log in plain text. To dump an
|
||||
audit log in its entirety, use:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>praudit /var/audit/AUDITFILE</userinput></screen>
|
||||
|
|
|
|||
Loading…
Reference in a new issue