756 lines
29 KiB
XML
756 lines
29 KiB
XML
<?xml version="1.0" encoding="koi8-r"?>
|
||
<!--
|
||
The FreeBSD Russian Documentation Project
|
||
|
||
$FreeBSDru: frdp/doc/ru_RU.KOI8-R/books/handbook/audit/chapter.xml,v 1.10 2007/06/26 08:38:00 den Exp $
|
||
$FreeBSD$
|
||
|
||
Original revision: r30208
|
||
-->
|
||
|
||
<!-- Need more documentation on praudit, auditreduce, etc. Plus more info
|
||
on the triggers from the kernel (log rotation, out of space, etc).
|
||
And the /dev/audit special file if we choose to support that. Could use
|
||
some coverage of integrating MAC with Event auditing and perhaps discussion
|
||
on how some companies or organizations handle auditing and auditing
|
||
requirements. -->
|
||
<chapter id="audit">
|
||
<chapterinfo>
|
||
<authorgroup>
|
||
<author>
|
||
<firstname>Tom</firstname>
|
||
<surname>Rhodes</surname>
|
||
<contrib>á×ÔÏÒ </contrib>
|
||
</author>
|
||
</authorgroup>
|
||
<authorgroup>
|
||
<author>
|
||
<firstname>äÅÎÉÓ</firstname>
|
||
<surname>âÁÒÏ×</surname>
|
||
<contrib>ðÅÒÅ×ÏÄ ÎÁ ÒÕÓÓËÉÊ ÑÚÙË: </contrib>
|
||
</author>
|
||
</authorgroup>
|
||
</chapterinfo>
|
||
<title>áÕÄÉÔ ÓÏÂÙÔÉÊ ÂÅÚÏÐÁÓÎÏÓÔÉ</title>
|
||
<sect1 id="audit-synopsis">
|
||
<title>ëÒÁÔËÉÊ ÏÂÚÏÒ</title>
|
||
<indexterm><primary>AUDIT</primary></indexterm>
|
||
<indexterm>
|
||
<primary>áÕÄÉÔ ÓÏÂÙÔÉÊ ÂÅÚÏÐÁÓÎÏÓÔÉ</primary>
|
||
<see>MAC</see>
|
||
</indexterm>
|
||
<para>&os; 6.2-RELEASE É ÂÏÌÅÅ ÐÏÚÄÎÉÅ ×ÅÒÓÉÉ &os;
|
||
×ËÌÀÞÁÀÔ × ÓÅÂÑ ÐÏÄÄÅÒÖËÕ ÁÕÄÉÔÁ ÓÏÂÙÔÉÊ ÂÅÚÏÐÁÓÎÏÓÔÉ.
|
||
áÕÄÉÔ ÓÏÂÙÔÉÊ ÄÁÅÔ ÎÁÄÅÖÎÙÊ É ÔÏÞÎÙÊ ÓÐÏÓÏÂ ÄÌÑ
|
||
ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÒÁÚÌÉÞÎÙÈ ÓÏÂÙÔÉÊ, Ó×ÑÚÁÎÎÙÈ Ó ÂÅÚÏÐÁÓÎÏÓÔØÀ,
|
||
×ËÌÀÞÁÑ ×ÈÏÄÙ × ÓÉÓÔÅÍÕ, ÉÚÍÅÎÅÎÉÑ ËÏÎÆÉÇÕÒÁÃÉÉ, ÄÏÓÔÕÐ Ë
|
||
ÆÁÊÌÁÍ É ÓÅÔÉ. üÔÉ ÚÁÐÉÓÉ ÍÏÇÕÔ ÂÙÔØ ÎÅÚÁÍÅÎÉÍÙ ÄÌÑ
|
||
ÍÏÎÉÔÏÒÉÎÇÁ ÆÕÎËÃÉÏÎÉÒÕÀÝÅÊ ÓÉÓÔÅÍÙ, ÏÂÎÁÒÕÖÅÎÉÑ ×ÔÏÒÖÅÎÉÊ
|
||
É ÄÌÑ ÁÎÁÌÉÚÁ ÓÏÂÙÔÉÊ, ÐÒÉ×ÅÄÛÉÈ Ë ËÒÁÈÕ ÓÉÓÔÅÍÙ.
|
||
÷ &os; ÒÅÁÌÉÚÏ×ÁÎ ÏÐÕÂÌÉËÏ×ÁÎÎÙÊ &sun; <acronym>BSM</acronym>
|
||
API É ÆÏÒÍÁÔ ÆÁÊÌÁ, ËÏÔÏÒÙÊ ÓÏ×ÍÅÓÔÉÍ Ó ÒÅÁÌÉÚÁÃÉÑÍÉ
|
||
ÁÕÄÉÔÁ × &sun; &solaris; É &apple; &macos; X.</para>
|
||
|
||
<para>÷ ÜÔÏÊ ÇÌÁ×Å ÏÐÉÓÙ×ÁÅÔÓÑ, × ÏÓÎÏ×ÎÏÍ, ÐÒÏÃÅÓÓ ÕÓÔÁÎÏ×ËÉ É
|
||
ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÑ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ. ÷ ÔÏÍ ÞÉÓÌÅ, ÐÒÉ×ÏÄÉÔÓÑ
|
||
ÒÁÚßÑÓÎÅÎÉÅ ÐÏÌÉÔÉË ÁÕÄÉÔÁ, Á ÔÁË ÖÅ ÄÁÀÔÓÑ ÐÒÉÍÅÒÙ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÈ
|
||
ÆÁÊÌÏ×.</para>
|
||
|
||
<para>ðÏÓÌÅ ÐÒÏÞÔÅÎÉÑ ÜÔÏÊ ÇÌÁ×Ù ×Ù ÂÕÄÅÔÅ ÚÎÁÔØ:</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>þÔÏ ÔÁËÏÅ ÓÉÓÔÅÍÁ ÁÕÄÉÔÁ É ËÁË ÏÎÁ ÒÁÂÏÔÁÅÔ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>ëÁË ÎÁÓÔÒÏÉÔØ ÁÕÄÉÔ ×Ï &os; ÄÌÑ ÍÏÎÉÔÏÒÉÎÇÁ
|
||
ÐÏÌØÚÏ×ÁÔÅÌÅÊ É ÐÒÏÃÅÓÓÏ×.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>ëÁË ÐÒÏÓÍÁÔÒÉ×ÁÔØ ÖÕÒÎÁÌ ÁÕÄÉÔÁ, ÉÓÐÏÌØÚÏ×ÁÔØ ÏÇÒÁÎÉÞÅÎÉÑ ÐÏ
|
||
ÒÁÚÍÅÒÕ É ÓÐÅÃÉÁÌØÎÙÅ ÉÎÓÔÒÕÍÅÎÔÙ ÄÌÑ ÅÇÏ ÐÒÏÓÍÏÔÒÁ.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>ðÅÒÅÄ ÐÒÏÞÔÅÎÉÅÍ ÜÔÏÊ ÇÌÁ×Ù ×Ù ÄÏÌÖÎÙ:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>ðÏÎÉÍÁÔØ ÏÓÎÏ×Ù &unix; É &os;
|
||
(<xref linkend="basics"/>).</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>õÍÅÔØ ËÏÎÆÉÇÕÒÉÒÏ×ÁÔØ É ËÏÍÐÉÌÉÒÏ×ÁÔØ ÑÄÒÏ
|
||
(<xref linkend="kernelconfig"/>).</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para>ðÏÎÉÍÁÔØ ÏÓÎÏ×ÎÙÅ ÐÒÉÎÃÉÐÙ ÂÅÚÏÐÁÓÎÏÓÔÉ × ÐÒÉÍÅÎÅÎÉÉ
|
||
Ë ÏÐÅÒÁÃÉÏÎÎÏÊ ÓÉÓÔÅÍÅ &os; (<xref linkend="security"/>).</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<warning>
|
||
<para>òÅÁÌÉÚÁÃÉÑ ÁÕÄÉÔÁ × &os; 6.2 - ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÁÑ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ
|
||
ÅÅ × ÒÅÁÌØÎÙÈ ÚÁÄÁÞÁÈ ÄÏÌÖÎÏ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÔÏÌØËÏ ÐÏÓÌÅ
|
||
×ÎÉÍÁÔÅÌØÎÏÇÏ ÏÚÎÁËÏÍÌÅÎÉÑ ÓÏ ×ÓÅÍÉ ÒÉÓËÁÍÉ, Ë ËÏÔÏÒÙÍ ÐÒÉ×ÏÄÉÔ
|
||
ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÇÏ ÐÒÏÇÒÁÍÍÎÏÇÏ ÏÂÅÓÐÅÞÅÎÉÑ. ë
|
||
ÉÚ×ÅÓÔÎÙÍ ÏÇÒÁÎÉÞÅÎÉÑÍ ÏÔÎÏÓÉÔÓÑ É ÔÏÔ ÆÁËÔ, ÞÔÏ ÎÅ ×ÓÅ ÓÏÂÙÔÉÑ
|
||
× ÎÁÓÔÏÑÝÉÊ ÍÏÍÅÎÔ ÐÒÏÔÏËÏÌÉÒÕÅÍÙ. îÁÐÒÉÍÅÒ, ÎÅËÏÔÏÒÙÅ ÍÅÈÁÎÉÚÍÙ
|
||
×ÈÏÄÁ × ÓÉÓÔÅÍÕ (X11-ÏÓÎÏ×ÁÎÎÙÅ ÏËÏÎÎÙÅ ÍÅÎÅÄÖÅÒÙ, ÍÎÏÇÏÅ
|
||
ÐÒÏÇÒÁÍÍÎÏÅ ÏÂÅÓÐÅÞÅÎÉÅ ÏÔ ÓÔÏÒÏÎÎÉÈ ÐÒÏÉÚ×ÏÄÉÔÅÌÅÊ) ÎÅ
|
||
ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÙ ÄÌÑ ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÓÏÂÙÔÉÊ ×ÈÏÄÁ × ÓÉÓÔÅÍÕ ÞÅÒÅÚ
|
||
ÐÏÄÓÉÓÔÅÍÕ ÁÕÄÉÔÁ.</para>
|
||
</warning>
|
||
|
||
<warning>
|
||
<para>éÓÐÏÌØÚÏ×ÁÎÉÅ ÓÉÓÔÅÍÙ × ÁÕÄÉÔÁ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÇÅÎÅÒÉÒÏ×ÁÎÉÀ
|
||
ÏÇÒÏÍÎÙÈ ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ×: ÉÈ ÒÁÚÍÅÒ ÎÁ ÓÉÌØÎÏ ÚÁÇÒÕÖÅÎÎÙÈ ÓÅÒ×ÅÒÁÈ
|
||
× ÎÅËÏÔÏÒÙÈ ËÏÎÆÉÇÕÒÁÃÉÑÈ ÍÏÖÅÔ ÄÏÓÔÉÇÁÔØ ÎÅÓËÏÌØËÉÈ ÇÉÇÁÂÁÊÔ × ÎÅÄÅÌÀ.
|
||
áÄÍÉÎÉÓÔÒÁÔÏÒÙ ÄÏÌÖÎÙ ×ÎÉÍÁÔÅÌØÎÏ ÓÌÅÄÉÔØ ÚÁ ÄÉÓËÏ×ÙÍ ÐÒÏÓÔÒÁÎÓÔ×ÏÍ
|
||
× ÒÁÚÄÅÌÅ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ. îÁÐÒÉÍÅÒ, ÒÅËÏÍÅÎÄÕÅÔÓÑ ×ÙÄÅÌÉÔØ
|
||
ÏÔÄÅÌØÎÙÊ ÒÁÚÄÅÌ ÄÌÑ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ
|
||
<filename>/var/audit</filename>, ÞÔÏÂÙ ÐÅÒÅÐÏÌÎÅÎÉÅ ÒÁÚÄÅÌÁ ÁÕÄÉÔÁ
|
||
ÎÅ ×ÌÉÑÌÏ ÎÁ ÒÁÂÏÔÏÓÐÏÓÏÂÎÏÓÔØ ×ÓÅÊ ÏÓÔÁÌØÎÏÊ ÓÉÓÔÅÍÙ.</para>
|
||
</warning>
|
||
|
||
</sect1>
|
||
|
||
<sect1 id="audit-inline-glossary">
|
||
<title>ëÌÀÞÅ×ÙÅ ÐÏÎÑÔÉÑ - ËÒÁÔËÉÊ ÓÌÏ×ÁÒØ.</title>
|
||
|
||
<para>ðÅÒÅÄ ÞÔÅÎÉÅÍ ÜÔÏÊ ÇÌÁ×Ù ÎÅÏÂÈÏÄÉÍÏ ÏÐÒÅÄÅÌÉÔØ ÎÅÓËÏÌØËÏ
|
||
ËÌÀÞÅ×ÙÈ ÐÏÎÑÔÉÊ. üÔÏ ÎÕÖÎÏ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ
|
||
ÎÅÄÏÒÁÚÕÍÅÎÉÑ, ËÏÔÏÒÙÅ ÍÏÇÕÔ ×ÏÚÎÉËÎÕÔØ ÉÚ-ÚÁ ÒÁÚÎÉÃÙ × ÔÒÁËÔÏ×ËÅ
|
||
ÎÅËÏÔÏÒÙÈ ÔÅÒÍÉÎÏ×. ÷ ÒÕÓÓËÏÊ ×ÅÒÓÉÉ ÄÏËÕÍÅÎÔÁ ÐÒÉ×ÏÄÑÔÓÑ
|
||
ÂÌÉÚËÉÊ ÐÏ ÓÍÙÓÌÕ ÐÅÒÅ×ÏÄ É × ÓËÏÂËÁÈ ÕËÁÚÙ×ÁÅÔÓÑ ÏÒÉÇÉÎÁÌØÎÙÊ
|
||
ÁÎÇÌÉÊÓËÉÊ ÔÅÒÍÉÎ.</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para><emphasis>ÓÏÂÙÔÉÅ</emphasis> (event): óÏÂÙÔÉÅ, ËÏÔÏÒÏÅ
|
||
ÍÏÖÅÔ ÂÙÔØ ÚÁÎÅÓÅÎÏ × ÖÕÒÎÁÌ. áÄÍÉÎÉÓÔÒÁÔÏÒ ÍÏÖÅÔ ×ÙÂÉÒÁÔØ,
|
||
ËÁËÉÅ ÉÍÅÎÎÏ ÓÏÂÙÔÉÑ ÂÕÄÕÔ ÖÕÒÎÁÌÉÒÏ×ÁÔØÓÑ ÐÏÄÓÉÓÔÅÍÏÊ
|
||
ÁÕÄÉÔÁ. óÐÉÓÏË ×ÁÖÎÙÈ ÄÌÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ
|
||
ÓÏÂÙÔÉÊ ×ËÌÀÞÁÅÔ: ÓÏÚÄÁÎÉÅ ÆÁÊÌÁ, ÉÎÉÃÉÁÌÉÚÁÃÉÀ ÓÅÔÅ×ÏÇÏ
|
||
ÓÏÅÄÉÎÅÎÉÑ, ×ÈÏÄ ÐÏÌØÚÏ×ÁÔÅÌÑ × ÓÉÓÔÅÍÕ. óÏÂÙÔÉÑ
|
||
ÒÁÚÄÅÌÑÀÔÓÑ ÎÁ <quote>ÐÒÉÐÉÓÙ×ÁÅÍÙÅ</quote> (attributable) -
|
||
ÔÅ, ËÏÔÏÒÙÅ ÍÏÇÕÔ ÂÙÔØ ÏÔÎÅÓÅÎÙ Ë ËÏÎËÒÅÔÎÏÍÕ ÐÏÌØÚÏ×ÁÔÅÌÀ -
|
||
É <quote>ÎÅ-ÐÒÉÐÉÓÙ×ÁÅÍÙÅ</quote> (non-attributable). ðÒÉÍÅÒ
|
||
ÎÅ-ÐÒÉÐÉÓÙ×ÁÅÍÏÇÏ ÓÏÂÙÔÉÑ - ÌÀÂÏÅ ÓÏÂÙÔÉÅ, ÐÒÏÉÚÏÛÅÄÛÅÅ ÄÏ
|
||
Á×ÔÏÒÉÚÁÃÉÉ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÔÁËÏÅ, ËÁË ÎÅÕÄÁÞÎÙÊ ×ÈÏÄ ÐÏÌØÚÏ×ÁÔÅÌÑ
|
||
× ÓÉÓÔÅÍÕ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><emphasis>ëÌÁÓÓ</emphasis> (class): óÏÂÙÔÉÑ ÍÏÇÕÔ ÂÙÔØ
|
||
ÏÔÎÅÓÅÎÙ Ë ÏÄÎÏÍÕ ÉÌÉ ÂÏÌÅÅ ËÌÁÓÓÁÍ, ÏÂÙÞÎÏ ÏÓÎÏ×Ù×ÁÑÓØ
|
||
ÎÁ ËÁÔÅÇÏÒÉÉ ÓÏÂÙÔÉÑ: <quote>ÓÏÚÄÁÎÉÅ ÆÁÊÌÁ</quote> (fc),
|
||
<quote>ÄÏÓÔÕÐ Ë ÆÁÊÌÕ</quote> (fo),
|
||
<quote>×ÙÐÏÌÎÅÎÉÅ ÆÁÊÌÁ</quote> (ex), ÓÏÂÙÔÉÑ
|
||
×ÈÏÄÁ × ÓÉÓÔÅÍÕ É ×ÙÈÏÄÁ ÉÚ ÎÅÅ (lo).
|
||
éÓÐÏÌØÚÏ×ÁÎÉÅ ËÌÁÓÓÏ× ÐÏÚ×ÏÌÑÅÔ ÁÄÍÉÎÉÓÔÒÁÔÏÒÕ ÓÏÚÄÁ×ÁÔØ
|
||
×ÙÓÏËÏÕÒÏ×ÎÅ×ÙÅ ÐÒÁ×ÉÌÁ ÁÕÄÉÔÁ ÂÅÚ ÕËÁÚÁÎÉÑ ËÏÎËÒÅÔÎÙÈ
|
||
ÏÐÅÒÁÃÉÊ, ÏÔÞÅÔ Ï ËÏÔÏÒÙÈ ÄÏÌÖÅÎ ÄÏÂÁ×ÌÑÔØÓÑ × ÖÕÒÎÁÌ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><emphasis>úÁÐÉÓØ</emphasis> (record): <quote>úÁÐÉÓØ</quote> -
|
||
ÜÔÏ ÅÄÉÎÉÞÎÁÑ ÚÁÐÉÓØ × ÖÕÒÎÁÌÅ, ÏÐÉÓÙ×ÁÀÝÁÑ ÔÏ ÉÌÉ ÉÎÏÅ
|
||
ÓÏÂÙÔÉÅ. úÁÐÉÓØ ÏÂÙÞÎÏ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÉÐÅ ÓÏÂÙÔÉÑ,
|
||
ÉÎÆÏÒÍÁÃÉÀ Ï ÓÕÂßÅËÔÅ ÓÏÂÙÔÉÑ (ÐÏÌØÚÏ×ÁÔÅÌÅ), ×ÒÅÍÑ ÓÏÂÙÔÉÑ,
|
||
ÉÎÆÏÒÍÁÃÉÀ Ï ÏÂßÅËÔÁÈ ÓÏÂÙÔÉÑ (ÎÁÐÒÉÍÅÒ, ÆÁÊÌÁÈ) É
|
||
ÉÎÆÏÒÍÁÃÉÀ Ï ÕÓÐÅÛÎÏÓÔÉ ×ÙÐÏÌÎÅÎÉÑ ÏÐÅÒÁÃÉÉ, ÐÏÒÏÄÉ×ÛÅÊ
|
||
ÓÏÂÙÔÉÅ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><emphasis>öÕÒÎÁÌ</emphasis> (trail):
|
||
<quote>ÖÕÒÎÁÌ</quote> ÁÕÄÉÔÁ, ÉÌÉ ÌÏÇ-ÆÁÊÌ -
|
||
ÓÏÄÅÒÖÉÔ ÓÅÒÉÀ <quote>ÚÁÐÉÓÅÊ</quote> Ï ÓÉÓÔÅÍÎÙÈ ÓÏÂÙÔÉÑÈ.
|
||
ëÁË ÐÒÁ×ÉÌÏ, ÖÕÒÎÁÌ ÓÏÄÅÒÖÉÔ ÚÁÐÉÓÉ × ÓÔÒÏÇÏÍ
|
||
ÈÒÏÎÏÌÏÇÉÞÅÓËÏÍ ÐÏÒÑÄËÅ ÐÏ ×ÒÅÍÅÎÉ ÚÁ×ÅÒÛÅÎÉÑ
|
||
ÓÏÂÙÔÉÑ. ôÏÌØËÏ Á×ÔÏÒÉÚÏ×ÁÎÎÙÅ ÐÒÏÃÅÓÓÙ (ÎÁÐÒÉÍÅÒ,
|
||
<command>auditd</command>) ÉÍÅÀÔ ÄÏÓÔÕÐ Ë ÖÕÒÎÁÌÕ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><emphasis>×ÙÒÁÖÅÎÉÅ ×ÙÄÅÌÅÎÉÑ</emphasis> (selection expression):
|
||
óÔÒÏËÁ, ÓÏÄÅÒÖÁÝÁÑ ÓÐÉÓÏË ÐÒÅÆÉËÓÏ× É ÉÍÅÎ ËÌÁÓÓÏ×, ÉÓÐÏÌØÚÕÅÍÁÑ
|
||
ÄÌÑ ×ÙÄÅÌÅÎÉÑ ÇÒÕÐÐÙ ÓÏÂÙÔÉÊ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><emphasis>ÐÒÅÄ×ÁÒÉÔÅÌØÎÏÅ ×ÙÄÅÌÅÎÉÅ</emphasis> (preselection):
|
||
ðÒÏÃÅÓÓ, ×Ï ×ÒÅÍÑ ËÏÔÏÒÏÇÏ ÓÉÓÔÅÍÁ ÏÐÒÅÄÅÌÑÅÔ, ËÁËÉÅ ÓÏÂÙÔÉÑ ÉÍÅÀÔ
|
||
ÐÒÉÏÒÉÔÅÔÎÕÀ ×ÁÖÎÏÓÔØ ÄÌÑ ÁÄÍÉÎÉÓÔÒÁÔÏÒÁ. üÔÏ ÎÅÏÂÈÏÄÉÍÏ ÄÌÑ ÔÏÇÏ,
|
||
ÞÔÏÂÙ ÉÚÂÅÖÁÔØ ÐÒÏÔÏËÏÌÉÒÏ×ÁÎÉÑ ÓÏÂÙÔÉÊ, ÎÅ ÉÍÅÀÝÉÈ ÎÉËÁËÏÊ ÚÎÁÞÉÍÏÓÔÉ.
|
||
ðÒÅÄ×ÁÒÉÔÅÌØÎÏÅ ×ÙÄÅÌÅÎÉÅ ÉÓÐÏÌØÚÕÅÔ ÒÑÄ
|
||
<emphasis>×ÙÒÁÖÅÎÉÊ ×ÙÄÅÌÅÎÉÑ</emphasis> ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÏÐÒÅÄÅÌÉÔØ,
|
||
ËÁËÉÅ ÉÍÅÎÎÏ ËÌÁÓÓÙ ÓÏÂÙÔÉÊ ÄÌÑ ËÁËÏÇÏ ÐÏÌØÚÏ×ÁÔÅÌÑ ÎÅÏÂÈÏÄÉÍÏ ×ÎÏÓÉÔØ
|
||
× ÖÕÒÎÁÌ, ÔÁË ÖÅ, ËÁË É ÄÌÑ Á×ÔÏÒÉÚÏ×ÁÎÎÙÈ É ÎÅÁ×ÔÏÒÉÚÏ×ÁÎÎÙÈ
|
||
ÐÒÏÃÅÓÓÏ×.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><emphasis>æÉÌØÔÒÁÃÉÑ</emphasis> (reduction):
|
||
ðÒÏÃÅÓÓ, × ÒÅÚÕÌØÔÁÔÅ ËÏÔÏÒÏÇÏ ÚÁÐÉÓÉ ÉÚ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÖÕÒÎÁÌÁ
|
||
×ÙÄÅÌÑÀÔÓÑ ÄÌÑ ÈÒÁÎÅÎÉÑ, ÒÁÓÐÅÞÁÔËÉ ÉÌÉ ÁÎÁÌÉÚÁ. ðÒÏÃÅÓÓ ×Ï ÍÎÏÇÏÍ
|
||
ÁÎÁÌÏÇÉÞÅÎ <emphasis>ÐÒÅÄ×ÁÒÉÔÅÌØÎÏÍÕ ×ÙÄÅÌÅÎÉÀ</emphasis>. éÓÐÏÌØÚÕÑ
|
||
<emphasis>ÆÉÌØÔÒÁÃÉÀ</emphasis> ÁÄÍÉÎÉÓÔÒÁÔÏÒÙ ÍÏÇÕÔ ÒÅÁÌÉÚÏ×Ù×ÁÔØ
|
||
ÒÁÚÌÉÞÎÙÅ ÐÏÌÉÔÉËÉ ÈÒÁÎÅÎÉÑ ÖÕÒÎÁÌÏ× ÁÕÄÉÔÁ. îÁÐÒÉÍÅÒ, ÄÅÔÁÌÉÚÉÒÏ×ÁÎÎÙÊ
|
||
ÖÕÒÎÁÌ ÍÏÖÅÔ ÈÒÁÎÉÔØÓÑ ÍÅÓÑÃ, ÎÏ ÐÏÓÌÅ ÜÔÏÇÏ ÏÎ ÄÏÌÖÅÎ ÂÙÔØ ÓÏËÒÁÝÅÎ
|
||
ÞÔÏÂÙ ÈÒÁÎÉÔØ ÔÏÌØËÏ ÉÎÆÏÒÍÁÃÉÀ Ï ×ÈÏÄÅ × ÓÉÓÔÅÍÕ É ×ÙÈÏÄÅ ÉÚ ÎÅÅ
|
||
ÂÏÌÅÅ ÄÌÉÔÅÌØÎÙÊ ÓÒÏË.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</sect1>
|
||
|
||
<sect1 id="audit-install">
|
||
<title>õÓÔÁÎÏ×ËÁ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ</title>
|
||
|
||
<para>ðÏÌØÚÏ×ÁÔÅÌØÓËÁÑ ÞÁÓÔØ ÐÏÄÓÉÓÔÅÍÙ ÁÕÄÉÔÁ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ËÁË ÞÁÓÔØ
|
||
ÂÁÚÏ×ÏÊ ÓÉÓÔÅÍÙ &os; ÎÁÞÉÎÁÑ Ó ×ÅÒÓÉÉ 6.2-RELEASE. ôÅÍ ÎÅ ÍÅÎÅÅ,
|
||
ÐÏÄÄÅÒÖËÁ ÁÕÄÉÔÁ ÄÏÌÖÎÁ ÂÙÔØ ÄÏÂÁ×ÌÅÎÁ × ÑÄÒÏ. üÔÏÇÏ
|
||
ÍÏÖÎÏ ÄÏÂÉÔØÓÑ, ÄÏÂÁ×É× ÓÌÅÄÕÀÝÕÀ ÓÔÒÏËÕ × ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÊ ÆÁÊÌ
|
||
×ÁÛÅÇÏ ÓÐÅÃÉÁÌØÎÏÇÏ ÑÄÒÁ:</para>
|
||
|
||
<programlisting>options AUDIT</programlisting>
|
||
|
||
<para>ðÒÏÃÅÓÓ ÓÂÏÒËÉ É ÕÓÔÁÎÏ×ËÉ ÑÄÒÁ ÐÏÄÒÏÂÎÏ ÏÐÉÓÁÎ × ÇÌÁ×Å
|
||
<xref linkend="kernelconfig"/>.</para>
|
||
|
||
<para>ðÏÓÌÅ ÜÔÏÇÏ, ÎÅÏÂÈÏÄÉÍÏ ÒÁÚÒÅÛÉÔØ ÚÁÐÕÓË ÄÅÍÏÎÁ ÁÕÄÉÔÁ,
|
||
ÄÏÂÁ×É× ÓÌÅÄÕÀÝÕÀ ÓÔÒÏËÕ × &man.rc.conf.5;:</para>
|
||
|
||
<programlisting>auditd_enable="YES"</programlisting>
|
||
|
||
<para>äÌÑ ÚÁÐÕÓËÁ ÄÅÍÏÎÁ ÓÏ ÓÐÅÃÉÆÉÞÅÓËÉÍÉ ÐÁÒÁÍÅÔÒÁÍÉ ÎÕÖÎÏ
|
||
ÕËÁÚÁÔØ ÜÔÉ ÐÁÒÁÍÅÔÒÙ × ÏÐÃÉÉ <option>auditd_flags</option>
|
||
ÆÁÊÌÁ &man.rc.conf.5;.</para>
|
||
</sect1>
|
||
|
||
<sect1 id="audit-config">
|
||
<title>îÁÓÔÒÏÊËÁ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ</title>
|
||
|
||
|
||
<para>÷ÓÅ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÅ ÆÁÊÌÙ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ ÎÁÈÏÄÑÔÓÑ × ËÁÔÁÌÏÇÅ
|
||
<filename class="directory">/etc/security</filename>. ðÅÒÅÄ ÚÁÐÕÓËÏÍ
|
||
ÄÅÍÏÎÁ ÁÕÄÉÔÁ ÔÁÍ ÄÏÌÖÎÙ ÎÁÈÏÄÉÔØÓÑ ÓÌÅÄÕÀÝÉÅ ÆÁÊÌÙ:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para><filename>audit_class</filename> - óÏÄÅÒÖÉÔ ÏÐÒÅÄÅÌÅÎÉÑ
|
||
ËÌÁÓÓÏ× ÁÕÄÉÔÁ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>audit_control</filename> - ðÁÒÁÍÅÔÒÙ ÓÉÓÔÅÍÙ
|
||
ÁÕÄÉÔÁ: ËÌÁÓÓÙ ÐÏ ÕÍÏÌÞÁÎÉÀ, ÍÉÎÉÍÁÌØÎÏÅ ÄÉÓËÏ×ÏÅ
|
||
ÐÒÏÓÔÒÁÎÓÔ×Ï, ËÏÔÏÒÏÅ ÄÏÌÖÎÏ ÏÓÔÁ×ÁÔØÓÑ ÎÁ ÒÁÚÄÅÌÅ ÖÕÒÎÁÌÁ
|
||
ÁÕÄÉÔÁ, É ÄÒÕÇÉÅ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>audit_event</filename> - ïÐÒÅÄÅÌÑÅÔ ÏÓÎÏ×ÎÙÅ
|
||
ÓÏÂÙÔÉÑ ÁÕÄÉÔÁ. üÔÏ, × ÏÓÎÏ×ÎÏÍ, ÓÉÓÔÅÍÎÙÅ ×ÙÚÏ×Ù.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><filename>audit_user</filename> - óÏÂÙÔÉÑ ÁÕÄÉÔÁ ÄÌÑ
|
||
ÄÌÑ ÏÔÄÅÌØÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ. ðÏÌØÚÏ×ÁÔÅÌÉ, ÎÅ ÕÐÏÍÉÎÁÅÍÙÅ
|
||
× ÜÔÏÍ ÆÁÊÌÅ, ÂÕÄÕÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÁË ÓÕÂßÅËÔÙ ËÏÎÆÉÇÕÒÁÃÉÉ
|
||
ÐÏ-ÕÍÏÌÞÁÎÉÀ × ÆÁÊÌÅ <filename>audit_control</filename>.</para>
|
||
</listitem>
|
||
|
||
|
||
<listitem>
|
||
<para><filename>audit_warn</filename> - óËÒÉÐÔ ËÏÍÁÎÄÎÏÇÏ
|
||
ÉÎÔÅÒÐÒÅÔÁÔÏÒÁ Bourne Shell, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ, ÞÔÏÂÙ
|
||
ÓÇÅÎÅÒÉÒÏ×ÁÔØ ÐÒÅÄÕÐÒÅÖÄÁÀÝÉÅ ÓÏÏÂÝÅÎÉÑ Ï ÉÓËÌÀÞÉÔÅÌØÎÙÈ
|
||
ÓÉÔÕÁÃÉÑÈ, ÎÁÐÒÉÍÅÒ, ËÏÇÄÁ ÚÁËÁÎÞÉ×ÁÅÔÓÑ Ó×ÏÂÏÄÎÏÅ ÄÉÓËÏ×ÏÅ
|
||
ÐÒÏÓÔÒÁÎÓÔ×Ï ÄÌÑ ÚÁÐÉÓÅÊ ÖÕÒÎÁÌÏ× ÁÕÄÉÔÁ.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<sect2>
|
||
<title>æÏÒÍÁÔ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÏÇÏ ÆÁÊÌÁ</title>
|
||
|
||
<para>æÏÒÍÁÔ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÏÇÏ ÆÁÊÌÁ ÎÅ ÏÞÅÎØ ÌÏÇÉÞÅÎ, ÎÏ Ó ÎÉÍ, ÔÅÍ
|
||
ÎÅ ÍÅÎÅÅ, ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÏ ÒÁÂÏÔÁÔØ. ïÄÎÁËÏ, ÁÄÍÉÎÉÓÔÒÁÔÏÒÁÍ
|
||
ÓÌÅÄÕÅÔ ÂÙÔØ ÏÞÅÎØ ×ÎÉÍÁÔÅÌØÎÙÍÉ ÐÒÉ ÉÚÍÅÎÅÎÉÉ ÚÎÁÞÅÎÉÊ ÐÏ
|
||
ÕÍÏÌÞÁÎÉÀ, ÐÏÓËÏÌØËÕ ÜÔÏ ÓÏÚÄÁÅÔ ÐÏÔÅÎÃÉÁÌØÎÕÀ ÏÐÁÓÎÏÓÔØ
|
||
ÎÅÐÒÁ×ÉÌØÎÏÇÏ ÓÂÏÒÁ ÄÁÎÎÙÈ ÓÉÓÔÅÍÏÊ ÁÕÄÉÔÁ.</para>
|
||
|
||
<para>÷ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÏÍ ÆÁÊÌÅ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÁË ÐÏÌÎÙÅ,
|
||
ÔÁË É ÓÏËÒÁÝÅÎÎÙÅ ÐÁÒÁÍÅÔÒÙ. óÏÏÔ×ÅÔÓÔ×ÉÑ ÂÕÄÕÔ ÐÒÉ×ÅÄÅÎÙ
|
||
ÎÉÖÅ.</para>
|
||
|
||
<para>óÌÅÄÕÀÝÉÊ ÓÐÉÓÏË ÓÏÄÅÒÖÉÔ ×ÓÅ ËÌÁÓÓÙ ÐÏ ÕÍÏÌÞÁÎÉÀ,
|
||
ÐÒÉÓÕÔÓÔ×ÕÀÝÉÅ × ÆÁÊÌÅ <filename>audit_class</filename>:</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para><option>all</option> - <literal>all</literal> -
|
||
óÏÏÔ×ÅÔÓÔ×ÕÅÔ ×ÓÅÍ ËÌÁÓÓÁÍ ÓÏÂÙÔÉÊ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>ad</option> - <literal>administrative</literal>
|
||
- áÕÄÉÔ ÁÄÍÉÎÉÓÔÒÁÔÉ×ÎÙÈ ÄÅÊÓÔ×ÉÊ, ÐÒÏÉÚÏÛÅÄÛÉÈ ×
|
||
ÓÉÓÔÅÍÅ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>ap</option> - <literal>application</literal> -
|
||
áÕÄÉÔ ÓÏÂÙÔÉÑ, ×ÙÚ×ÁÎÎÏÇÏ ËÁËÉÍ-ÌÉÂÏ ÐÒÉÌÏÖÅÎÉÅÍ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>cl</option> - <literal>file_close</literal>
|
||
- áÕÄÉÔ ×ÙÚÏ×Ï× ÓÉÓÔÅÍÎÏÊ ÆÕÎËÃÉÉ
|
||
<function>close</function>.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>ex</option> - <literal>exec</literal> -
|
||
áÕÄÉÔ ÚÁÐÕÓËÁ ÐÒÉÌÏÖÅÎÉÑ. áÕÄÉÔ ÁÒÇÕÍÅÎÔÏ× ËÏÍÁÎÄÎÏÊ ÓÔÒÏËÉ É
|
||
ÐÅÒÅÍÅÎÎÙÈ ÏËÒÕÖÅÎÉÑ ËÏÎÔÒÏÌÉÒÕÅÔÓÑ ÞÅÒÅÚ &man.audit.control.5;
|
||
ÉÓÐÏÌØÚÕÑ ÐÁÒÁÍÅÔÒÙ <literal>argv</literal> É <literal>envv</literal>
|
||
× ÏÐÃÉÉ <literal>policy</literal>.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>fa</option> - <literal>file_attr_acc</literal>
|
||
- áÕÄÉÔ ÄÏÓÔÕÐÁ Ë ÁÔÒÉÂÕÔÁÍ ÏÂßÅËÔÏ× É ÉÈ ÉÚÍÅÎÅÎÉÀ,
|
||
ÎÁÐÒÉÍÅÒ ÞÅÒÅÚ &man.stat.1;, &man.pathconf.2;, Á
|
||
ÔÁËÖÅ ÐÏÄÏÂÎÙÈ ÜÔÉÍ ÓÏÂÙÔÉÊ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>fc</option> - <literal>file_creation</literal>
|
||
- áÕÄÉÔ ÓÏÂÙÔÉÊ, × ÒÅÚÕÌØÔÁÔÅ ËÏÔÏÒÙÈ ÓÏÚÄÁÀÔÓÑ
|
||
ÆÁÊÌÙ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>fd</option> - <literal>file_deletion</literal>
|
||
- áÕÄÉÔ ÓÏÂÙÔÉÊ, × ÒÅÚÕÌØÔÁÔÅ ËÏÔÏÒÙÈ ÕÄÁÌÑÀÔÓÑ
|
||
ÆÁÊÌÙ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>fm</option> - <literal>file_attr_mod</literal>
|
||
- áÕÄÉÔ ÓÏÂÙÔÉÊ, × ÒÅÚÕÌØÔÁÔÅ ËÏÔÏÒÙÈ ÉÚÍÅÎÑÀÔÓÑ
|
||
ÁÔÒÉÂÕÔÙ ÆÁÊÌÏ×, ÎÁÐÒÉÍÅÒ, &man.chown.8;,
|
||
&man.chflags.1;, &man.flock.2;.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>fr</option> - <literal>file_read</literal>
|
||
- áÕÄÉÔ ÓÏÂÙÔÉÊ, × ÒÅÚÕÌØÔÁÔÅ ËÏÔÏÒÙÈ ÐÒÏÉÓÈÏÄÉÔ
|
||
ÞÔÅÎÉÅ ÄÁÎÎÙÈ, ÏÔËÒÙ×ÁÀÔÓÑ ÆÁÊÌÙ ÎÁ ÞÔÅÎÉÅ É Ô.Ð.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>fw</option> - <literal>file_write</literal> -
|
||
- áÕÄÉÔ ÓÏÂÙÔÉÊ, × ÒÅÚÕÌØÔÁÔÅ ËÏÔÏÒÙÈ ÐÒÏÉÓÈÏÄÉÔ
|
||
ÚÁÐÉÓØ ÄÁÎÎÙÈ, ÉÚÍÅÎÅÎÉÅ ÆÁÊÌÏ× É ÔÁË ÄÁÌÅÅ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>io</option> - <literal>ioctl</literal> -
|
||
áÕÄÉÔ ×ÙÚÏ×Ï× ÓÉÓÔÅÍÎÏÊ ÆÕÎËÃÉÉ &man.ioctl.2;.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>ip</option> - <literal>ipc</literal> -
|
||
áÕÄÉÔ ÒÁÚÌÉÞÎÙÈ ×ÉÄÏ× ×ÚÁÉÍÏÄÅÊÓÔ×ÉÑ ÐÒÏÃÅÓÓÏ×,
|
||
×ËÌÀÞÁÑ ÓÏÚÄÁÎÉÅ ÎÅ-ÉÍÅÎÏ×ÁÎÎÙÈ ËÁÎÁÌÏ× (pipe) É
|
||
×ÚÁÉÍÏÄÅÊÓÔ×ÉÅ ÐÒÏÃÅÓÓÏ× × ÓÔÉÌÅ System V
|
||
<acronym>IPC</acronym>.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>lo</option> - <literal>login_logout</literal> -
|
||
áÕÄÉÔ ÓÏÂÙÔÉÊ &man.login.1; É &man.logout.1;.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>na</option> - <literal>non_attrib</literal> -
|
||
áÕÄÉÔ ÎÅ-ÐÒÉÐÉÓÙ×ÁÅÍÙÈ ÓÏÂÙÔÉÊ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>no</option> - <literal>no_class</literal> -
|
||
ðÕÓÔÏÊ ËÌÁÓÓ, ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÏÔËÌÀÞÅÎÉÑ
|
||
ÁÕÄÉÔÁ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>nt</option> - <literal>network</literal> -
|
||
áÕÄÉÔ ÓÏÂÙÔÉÊ, Ó×ÑÚÁÎÎÙÈ Ó ÓÅÔÅ×ÙÍÉ ÐÏÄËÌÀÞÅÎÉÑÍÉ,
|
||
ÎÁÐÒÉÍÅÒ &man.connect.2; É &man.accept.2;.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>ot</option> - <literal>other</literal> -
|
||
áÕÄÉÔ ÓÏÂÙÔÉÊ, ÎÅ ×ÏÛÅÄÛÉÈ × ÄÒÕÇÉÅ ËÌÁÓÓÙ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><option>pc</option> - <literal>process</literal> -
|
||
áÕÄÉÔ ÄÅÊÓÔ×ÉÊ ÐÒÏÃÅÓÓÏ×, ÔÁËÉÈ ËÁË &man.exec.3; É
|
||
&man.exit.3;.</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
<para>üÔÉ ËÌÁÓÓÙ ÓÏÂÙÔÉÊ ÍÏÇÕÔ ÂÙÔØ ÎÁÓÔÒÏÅÎÙ ÉÚÍÅÎÅÎÉÅÍ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÈ
|
||
ÆÁÊÌÏ× <filename>audit_class</filename> É
|
||
<filename>audit_event</filename>.</para>
|
||
|
||
<para>ëÁÖÄÙÊ ËÌÁÓÓ ËÏÍÂÉÎÉÒÕÅÔÓÑ Ó ÐÒÅÆÉËÓÏÍ, ÐÏËÁÚÙ×ÁÀÝÉÍ ÕÄÁÞÎÏÅ
|
||
ÉÌÉ ÎÅÕÄÁÞÎÏÅ ÚÁ×ÅÒÛÅÎÉÅ ÏÐÅÒÁÃÉÉ.</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para><literal>[ÐÕÓÔÏÊ ÐÒÅÆÉËÓ]</literal> - áÕÄÉÔ ÐÒÏ×ÏÄÉÔÓÑ ËÁË ÄÌÑ
|
||
ÕÓÐÅÛÎÏÇÏ, ÔÁË É ÄÌÑ ÏÛÉÂÏÞÎÏÇÏ ÓÏÂÙÔÉÑ. îÁÐÒÉÍÅÒ, ÐÒÏÓÔÏ
|
||
ÕËÁÚÁÎÉÅ ËÌÁÓÓÁ ÂÅÚ ÐÒÅÆÉËÓÁ ÐÒÉ×ÅÄÅÔ Ë ÚÁÎÅÓÅÎÉÀ ÓÏÂÙÔÉÑ
|
||
× ÖÕÒÎÁÌ ÐÒÉ ÌÀÂÏÍ ÒÅÚÕÌØÔÁÔÅ ÏÐÅÒÁÃÉÉ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><literal>+</literal> - áÕÄÉÔ ÔÏÌØËÏ ÕÓÐÅÛÎÙÈ
|
||
ÓÏÂÙÔÉÊ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><literal>-</literal> - áÕÄÉÔ ÔÏÌØËÏ ÏÛÉÂÏÞÎÙÈ
|
||
ÓÏÂÙÔÉÊ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><literal>^</literal> - ïÔËÌÀÞÅÎÉÅ ÁÕÄÉÔÁ ËÁË ÕÓÐÅÛÎÙÈ, ÔÁË É
|
||
ÏÛÉÂÏÞÎÙÈ ÓÏÂÙÔÉÊ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><literal>^-</literal> - ïÔËÌÀÞÅÎÉÅ ÁÕÄÉÔÁ ÏÛÉÂÏÞÎÙÈ
|
||
ÓÏÂÙÔÉÊ.</para>
|
||
</listitem>
|
||
|
||
<listitem>
|
||
<para><literal>^+</literal> - ÷ËÌÀÞÅÎÉÅ ÁÕÄÉÔÁ ÕÓÐÅÛÎÙÈ
|
||
ÓÏÂÙÔÉÊ.</para>
|
||
</listitem>
|
||
|
||
</itemizedlist>
|
||
|
||
<para>óÌÅÄÕÀÝÉÊ ÐÒÉÍÅÒ ×ÙÂÉÒÁÅÔ ÕÓÐÅÛÎÙÅ É ÎÅ-ÕÓÐÅÛÎÙÅ ÓÏÂÙÔÉÑ ×ÈÏÄÁ ×
|
||
ÓÉÓÔÅÍÕ É ×ÙÈÏÄÁ ÉÚ ÎÅÅ, É ÔÏÌØËÏ ÕÓÐÅÛÎÙÅ ÓÏÂÙÔÉÑ ÉÓÐÏÌÎÅÎÉÑ
|
||
ÆÁÊÌÁ:</para>
|
||
|
||
<programlisting>lo,+ex</programlisting>
|
||
</sect2>
|
||
|
||
<sect2>
|
||
<title>ëÏÎÆÉÇÕÒÁÃÉÏÎÎÙÅ ÆÁÊÌÙ</title>
|
||
|
||
<para>÷ ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÁÄÍÉÎÉÓÔÒÁÔÏÒÕ ÐÒÉÄ£ÔÓÑ ×ÎÏÓÉÔØ
|
||
ÉÚÍÅÎÅÎÉÑ ÔÏÌØËÏ × Ä×Á ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÈ ÆÁÊÌÁ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ:
|
||
<filename>audit_control</filename> É
|
||
<filename>audit_user</filename>. ðÅÒ×ÙÊ ÉÚ ÎÉÈ ÓÏÄÅÒÖÉÔ
|
||
ÏÂÝÉÅ ÎÁÓÔÒÏÊËÉ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ É ÕÓÔÁÎÏ×ËÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ËÁË
|
||
ÄÌÑ ÐÒÉÐÉÓÙ×ÁÅÍÙÈ, ÔÁË É ÄÌÑ ÎÅ-ÐÒÉÐÉÓÙ×ÁÅÍÙÈ ÓÏÂÙÔÉÊ. ÷ÔÏÒÏÊ
|
||
ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÁÓÔÒÏÊËÉ ÁÕÄÉÔÁ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÓÏÂÙÔÉÊ.</para>
|
||
|
||
<sect3 id="audit-auditcontrol">
|
||
<title>æÁÊÌ <filename>audit_control</filename></title>
|
||
|
||
<para>æÁÊÌ <filename>audit_control</filename> ÓÏÄÅÒÖÉÔ
|
||
ÎÁÓÔÒÏÊËÉ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÔÏÒÙÅ, ×ÏÚÍÏÖÎÏ, ÐÏÔÒÅÂÕÅÔÓÑ
|
||
ÉÚÍÅÎÉÔØ. óÏÄÅÒÖÉÍÏÅ ÜÔÏÇÏ ÆÁÊÌÁ:</para>
|
||
|
||
<programlisting>dir:/var/audit
|
||
flags:lo
|
||
minfree:20
|
||
naflags:lo
|
||
policy:cnt
|
||
filesz:0</programlisting>
|
||
|
||
<para>ðÁÒÁÍÅÔÒ <option>dir</option> ÕËÁÚÙ×ÁÅÔ ËÁÔÁÌÏÇ, ×
|
||
ËÏÔÏÒÏÍ ÂÕÄÅÔ ÓÏÈÒÁÎÑÔØÓÑ ÖÕÒÎÁÌ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ. ëÁË
|
||
ÐÒÁ×ÉÌÏ, ÓÉÓÔÅÍÁ ÁÕÄÉÔÁ ËÏÎÆÉÇÕÒÉÒÕÅÔÓÑ ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÞÔÏ
|
||
ÖÕÒÎÁÌ ÁÕÄÉÔÁ ÈÒÁÎÉÔÓÑ ÎÁ ÏÔÄÅÌØÎÏÍ ÒÁÚÄÅÌÅ, ÞÔÏÂÙ
|
||
ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÓÂÏÉ × ÒÁÂÏÔÅ ÏÐÅÒÁÃÉÏÎÎÏÊ ÓÉÓÔÅÍÙ, ÅÓÌÉ
|
||
Ó×ÏÂÏÄÎÏÅ ÍÅÓÔÅ ÎÁ ÒÁÚÄÅÌÅ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ ÂÕÄÅÔ
|
||
ÉÓÞÅÒÐÁÎÏ.</para>
|
||
|
||
<para>ðÁÒÁÍÅÔÒ <option>flags</option> ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ
|
||
ÕÓÔÁÎÏ×ËÉ ÇÌÏÂÁÌØÎÙÈ ÏÐÃÉÊ. úÎÁÞÅÎÉÅ ÜÔÏÇÏ ÐÁÒÁÍÅÔÒÁ
|
||
<option>lo</option> ÎÁÓÔÒÁÉ×ÁÅÔ ÁÕÄÉÔ ÄÌÑ ×ÓÅÈ ÓÏÂÙÔÉÊ
|
||
&man.login.1; É &man.logout.1;. âÏÌÅÅ ÐÏÄÒÏÂÎÙÊ
|
||
ÐÒÉÍÅÒ:</para>
|
||
|
||
<programlisting>dir:/var/audit
|
||
flags:lo,ad,-all,^-fa,^-fc,^-cl
|
||
minfree:20
|
||
naflags:lo</programlisting>
|
||
|
||
<para>ôÁËÏÅ ÚÎÁÞÅÎÉÅ ÐÁÒÁÍÅÔÒÁ <option>flags</option>
|
||
ÐÒÉ×ÅÄÅÔ Ë ÁÕÄÉÔÕ ×ÓÅÈ ÓÏÂÙÔÉÊ &man.login.1; É
|
||
&man.logout.1;, ×ÓÅÈ ÁÄÍÉÎÉÓÔÒÁÔÉ×ÎÙÈ ÓÏÂÙÔÉÊ, ×ÓÅÈ ÏÛÉÂÏÞÎÙÈ
|
||
ÓÉÓÔÅÍÎÙÈ ÓÏÂÙÔÉÊ É, ÎÁËÏÎÅÃ, ÏÔËÌÀÞÁÅÔ ÁÕÄÉÔ ×ÓÅÈ ÏÛÉÂÏÞÎÙÈ
|
||
ÓÏÂÙÔÉÊ ËÌÁÓÓÏ× <option>fa</option>, <option>fc</option> É
|
||
<option>cl</option>. îÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÐÁÒÁÍÅÔÒ
|
||
<option>-all</option> ÕËÁÚÙ×ÁÅÔ ÎÁ ÎÅÏÂÈÏÄÉÍÏÓÔØ ÁÕÄÉÔÁ
|
||
×ÓÅÈ ÓÉÓÔÅÍÎÙÈ ÓÏÂÙÔÉÊ, ÐÒÅÆÉËÓ <option>^-</option> ÏÔÍÅÎÑÅÔ
|
||
ÜÔÏ ÐÏ×ÅÄÅÎÉÅ ÄÌÑ ×ÓÅÈ ÐÏÓÌÅÄÕÀÝÉÈ ÏÐÃÉÊ.</para>
|
||
|
||
<para>úÁÍÅÔØÔÅ, ÞÔÏ ÚÎÁÞÅÎÉÑ ÓÞÉÔÙ×ÁÀÔÓÑ ÓÌÅ×Á ÎÁÐÒÁ×Ï.
|
||
ðÏÜÔÏÍÕ ÎÁÈÏÄÑÝÉÅÓÑ ÓÐÒÁ×Á ÚÎÁÞÅÎÉÑ ÐÅÒÅÏÐÒÅÄÅÌÑÀÔ ÚÎÁÞÅÎÉÑ,
|
||
ÎÁÈÏÄÑÝÉÅÓÑ ÓÌÅ×Á.</para>
|
||
|
||
<para>ðÁÒÁÍÅÔÒ <option>minfree</option> ÏÐÒÅÄÅÌÑÅÔ ÍÉÎÉÍÁÌØÎÏÅ
|
||
ÚÎÁÞÅÎÉÅ Ó×ÏÂÏÄÎÏÇÏ ÄÉÓËÏ×ÏÇÏ ÐÒÏÓÔÒÁÎÓÔ×Á ÎÁ ÒÁÚÄÅÌÅ, ×
|
||
ËÏÔÏÒÙÊ ÓÏÈÒÁÎÑÀÔÓÑ ÆÁÊÌÙ ÖÕÒÎÁÌÏ× ÁÕÄÉÔÁ. îÁÐÒÉÍÅÒ, ÅÓÌÉ
|
||
ÚÎÁÞÅÎÉÅ ÐÁÒÁÍÅÔÒÁ <option>dir</option> ÕÓÔÁÎÏ×ÌÅÎÏ ×
|
||
<filename class="directory">/var/audit</filename>, Á ÐÁÒÁÍÅÔÒ
|
||
<option>minfree</option> ÒÁ×ÅÎ Ä×ÁÄÃÁÔÉ (20), ÔÏ ÐÒÅÄÕÐÒÅÖÄÁÀÝÅÅ
|
||
ÓÏÏÂÝÅÎÉÅ ÂÕÄÅÔ ×ÙÄÁÎÏ, ËÏÇÄÁ ÒÁÚÄÅÌ <filename
|
||
class="directory">/var</filename> ÂÕÄÅÔ ÚÁÐÏÌÎÅÎ ÎÁ
|
||
×ÏÓÅÍØÄÅÓÑÔ (80%) ÐÒÏÃÅÎÔÏ×.</para>
|
||
|
||
<para>ðÁÒÁÍÅÔÒ <option>naflags</option> ÏÐÒÅÄÅÌÑÅÔ ËÌÁÓÓÙ
|
||
ÁÕÄÉÔÁ ÄÌÑ ÎÅ-ÐÒÉÐÉÓÙ×ÁÅÍÙÈ ÓÏÂÙÔÉÊ, ÔÏ ÅÓÔØ ÓÏÂÙÔÉÊ,
|
||
ÄÌÑ ËÏÔÏÒÙÈ ÎÅ ÏÐÒÅÄẠ̊ΠËÏÎËÒÅÔÎÙÊ ÐÏÌØÚÏ×ÁÔÅÌØ.</para>
|
||
|
||
</sect3>
|
||
|
||
<sect3 id="audit-audituser">
|
||
<title>æÁÊÌ <filename>audit_user</filename></title>
|
||
|
||
<para>æÁÊÌ <filename>audit_user</filename> ÐÏÚ×ÏÌÑÅÔ
|
||
ÁÄÍÉÎÉÓÔÒÁÔÏÒÕ ÏÐÒÅÄÅÌÉÔØ ËÌÁÓÓÙ ÓÏÂÙÔÉÊ, ÁÕÄÉÔ ËÏÔÏÒÙÈ ÂÕÄÅÔ
|
||
ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÄÌÑ ËÁÖÄÏÇÏ ÐÏÌØÚÏ×ÁÔÅÌÑ ÓÉÓÔÅÍÙ.</para>
|
||
|
||
<para>ðÏ ÕÍÏÌÞÁÎÉÀ ÆÁÊÌ <filename>audit_user</filename>
|
||
ÓÏÄÅÒÖÉÔ:</para>
|
||
|
||
<programlisting>root:lo:no
|
||
audit:fc:no</programlisting>
|
||
|
||
<para>ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ: ÐÏ ÕÍÏÌÞÁÎÉÀ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÁÕÄÉÔ ×ÓÅÈ
|
||
<command>login</command>/<command>logout</command> ÓÏÂÙÔÉÊ É
|
||
ÏÔËÌÀÞÁÅÔÓÑ ÁÕÄÉÔ ×ÓÅÈ ÄÒÕÇÉÈ ÓÏÂÙÔÉÊ ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÑ
|
||
<username>root</username>. üÔÁ ËÏÎÆÉÇÕÒÁÃÉÑ ÔÁËÖÅ ×ËÌÀÞÁÅÔ
|
||
ÁÕÄÉÔ ×ÓÅÈ ÓÏÂÙÔÉÊ, Ó×ÑÚÁÎÎÙÈ Ó ÓÏÚÄÁÎÉÅÍ ÆÁÊÌÏ× É ÏÔËÌÀÞÁÅÔ
|
||
ÁÕÄÉÔ ×ÓÅÈ ÄÒÕÇÉÈ ÓÏÂÙÔÉÊ ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÑ
|
||
<username>audit</username>. èÏÔÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÓÉÓÔÅÍÙ
|
||
ÁÕÄÉÔÁ ÎÅ ÔÒÅÂÕÅÔ ÎÁÌÉÞÉÑ × ÓÉÓÔÅÍÅ ÓÐÅÃÉÁÌØÎÏÇÏ
|
||
ÐÏÌØÚÏ×ÁÔÅÌÑ, × ÎÅËÏÔÏÒÙÈ ËÏÎÆÉÇÕÒÁÃÉÑÈ, ÏÓÏÂÅÎÎÏ
|
||
ÉÓÐÏÌØÚÕÀÝÉÈ <acronym>MAC</acronym> (Mandatory Access
|
||
Control), ÜÔÏ ÍÏÖÅÔ ÂÙÔØ ÎÅÏÂÈÏÄÉÍÏ.</para>
|
||
|
||
</sect3>
|
||
</sect2>
|
||
</sect1>
|
||
|
||
<sect1 id="audit-administration">
|
||
<title>áÄÍÉÎÉÓÔÒÉÒÏ×ÁÎÉÅ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ</title>
|
||
|
||
<sect2>
|
||
<title>ðÒÏÓÍÏÔÒ ÖÕÒÎÁÌÁ ÁÕÄÉÔÁ</title>
|
||
|
||
<para>öÕÒÎÁÌ ÁÕÄÉÔÁ ÈÒÁÎÉÔÓÑ × ÂÉÎÁÒÎÏÍ ÆÏÒÍÁÔÅ BSM, ÐÏÜÔÏÍÕ ÄÌÑ
|
||
ÅÇÏ ÉÚÍÅÎÅÎÉÑ É ËÏÎ×ÅÒÔÁÃÉÉ × ÔÅËÓÔÏ×ÙÊ ÆÏÒÍÁÔ ÐÏÎÁÄÏÂÑÔÓÑ ÓÐÅÃÉÁÌØÎÙÅ
|
||
ÕÔÉÌÉÔÙ. ëÏÍÁÎÄÁ <command>praudit</command> ÐÒÅÏÂÒÁÚÕÅÔ ÖÕÒÎÁÌ ÁÕÄÉÔÁ
|
||
× ÔÅËÓÔÏ×ÙÊ ÆÏÒÍÁÔ; ËÏÍÁÎÄÁ <command>auditreduce</command> ÍÏÖÅÔ ÂÙÔØ
|
||
ÉÓÐÏÌØÚÏ×ÁÎÁ ÄÌÑ ÒÏÔÁÃÉÉ É ÆÉÌØÔÒÁÃÉÉ ÖÕÒÎÁÌÁ × ÃÅÌÑÈ ÁÎÁÌÉÚÁ,
|
||
ÁÒÈÉ×ÉÒÏ×ÁÎÉÑ ÉÌÉ ÒÁÓÐÅÞÁÔËÉ. ëÏÍÁÎÄÁ <command>auditreduce</command>
|
||
ÐÏÄÄÅÒÖÉ×ÁÅÔ ÍÎÏÖÅÓÔ×Ï ÐÁÒÁÍÅÔÒÏ× ×ÙÂÏÒËÉ, ×ËÌÀÞÁÑ ÔÉÐÙ ÓÏÂÙÔÉÊ, ËÌÁÓÓÙ
|
||
ÓÏÂÙÔÉÊ, ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÓÏÂÙÔÉÑ, ÄÁÔÕ É ×ÒÅÍÑ ÓÏÂÙÔÉÊ É ÐÕÔÉ ÆÁÊÌÏ×,
|
||
Ë ËÏÔÏÒÙÍ ÏÔÎÏÓÑÔÓÑ ÓÏÂÙÔÉÑ.</para>
|
||
|
||
<para>îÁÐÒÉÍÅÒ, ÕÔÉÌÉÔÁ <command>praudit</command> ×Ù×ÅÄÅÔ ×ÓÅ ÓÏÄÅÒÖÉÍÏÅ
|
||
ÖÕÒÎÁÌÁ ÁÕÄÉÔÁ × ÔÅËÓÔÏ×ÏÍ ÆÏÒÍÁÔÅ:</para>
|
||
|
||
<screen>&prompt.root; <userinput>praudit /var/audit/AUDITFILE</userinput></screen>
|
||
|
||
<para>÷ ÄÁÎÎÏÍ ÐÒÉÍÅÒÅ <replaceable>AUDITFILE</replaceable> - ÖÕÒÎÁÌ,
|
||
ËÏÔÏÒÙÊ ÂÕÄÅÔ ×Ù×ÅÄÅÎ × ÔÅËÓÔÏ×ÏÍ ÆÏÒÍÁÔÅ.</para>
|
||
|
||
<para>öÕÒÎÁÌ ÁÕÄÉÔÁ ÓÏÓÔÏÉÔ ÉÚ ÓÅÒÉÉ ÚÁÐÉÓÅÊ, ËÏÔÏÒÙÅ, × Ó×ÏÀ
|
||
ÏÞÅÒÅÄØ ÓÏÓÔÏÑÔ ÉÚ ÜÌÅÍÅÎÔÏ×. üÔÉ ÜÌÅÍÅÎÔÙ ËÏÍÁÎÄÁ
|
||
<command>praudit</command> ×Ù×ÏÄÉÔ ÐÏÓÌÅÄÏ×ÁÔÅÌØÎÏ - ÐÏ ÏÄÎÏÍÕ ÎÁ ÓÔÒÏËÕ.
|
||
ëÁÖÄÙÊ ÜÌÅÍÅÎÔ ÉÍÅÅÔ ÓÐÅÃÉÆÉÞÅÓËÉÊ ÔÉÐ, ÎÁÐÒÉÍÅÒ
|
||
<literal>ÚÁÇÏÌÏ×ÏË</literal> (header) ÓÏÄÅÒÖÉÔ ÚÁÇÏÌÏ×ÏË pfgbcb, a
|
||
<literal>ÐÕÔØ</literal> (path) - ÐÕÔØ Ë ÆÁÊÌÕ, Ë ËÏÔÏÒÏÍÕ ÏÔÎÏÓÉÔÓÑ ÚÁÐÉÓØ.
|
||
lookup. óÌÅÄÕÀÝÉÊ ÐÒÉÍÅÒ ÐÏËÁÚÙ×ÁÅÔ ÚÁÐÉÓØ ÄÌÑ ÓÏÂÙÔÉÑ ×ÙÐÏÌÎÅÎÉÑ
|
||
(execve):</para>
|
||
|
||
<programlisting>header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
|
||
exec arg,finger,doug
|
||
path,/usr/bin/finger
|
||
attribute,555,root,wheel,90,24918,104944
|
||
subject,robert,root,wheel,root,wheel,38439,38032,42086,128.232.9.100
|
||
return,success,0
|
||
trailer,133</programlisting>
|
||
|
||
<para>üÔÁ ÚÁÐÉÓØ Ñ×ÌÑÅÔÓÑ ÒÅÚÕÌØÔÁÔÏÍ ÕÓÐÅÛÎÏÇÏ ×ÙÐÏÌÎÅÎÉÑ ÓÉÓÔÅÍÎÏÇÏ
|
||
×ÙÚÏ×Á <literal>execve</literal>, ËÏÔÏÒÙÊ ÓÔÁÌ ÒÅÚÕÌØÔÁÔÏÍ ×ÙÐÏÌÎÅÎÉÑ
|
||
ËÏÍÁÎÄÙ <literal>finger doug</literal>. üÌÅÍÅÎÔ <literal>exec</literal> ÓÏÄÅÒÖÉÔ É
|
||
ËÏÍÁÎÄÕ, ËÏÔÏÒÕÀ ÏÂÏÌÏÞËÁ ÐÅÒÅÄÁÌÁ ÑÄÒÕ, É ÅÅ ÁÒÇÕÍÅÎÔÙ. üÌÅÍÅÎÔ
|
||
<literal>ÐÕÔØ</literal> (path) ÓÏÄÅÒÖÉÔ ÐÕÔØ Ë ÉÓÐÏÌÎÑÅÍÏÍÕ ÆÁÊÌÕ ×
|
||
ÐÒÅÄÓÔÁ×ÌÅÎÉÉ ÑÄÒÁ. üÌÅÍÅÎÔ <literal>ÁÔÒÉÂÕÔ</literal> (attribute)
|
||
ÏÐÉÓÙ×ÁÅÔ ÉÓÐÏÌÎÑÅÍÙÊ ÆÁÊÌ, É, × ÞÁÓÔÎÏÓÔÉ, ÐÒÁ×Á ÄÏÓÔÕÐÁ Ë ÆÁÊÌÕ.
|
||
üÌÅÍÅÎÔ <literal>ÓÕÂßÅËÔ</literal> (subject) ÏÐÉÓÙ×ÁÅÔ ÐÒÏÃÅÓÓ, ×ÙÚ×Á×ÛÉÊ
|
||
×ÙÐÏÌÎÅÎÉÅ É ÓÏÈÒÁÎÑÅÔ ÅÇÏ × ×ÉÄÅ ÒÑÄÁ ÚÎÁÞÅÎÉÊ, ÐÒÅÄÓÔÁ×ÌÑÀÝÉÈ ÓÏÂÏÊ
|
||
UID ÁÕÄÉÒÕÅÍÏÇÏ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÉÓÐÏÌÎÑÀÝÉÅ (effective) UID É GID,
|
||
ÒÅÁÌØÎÙÅ (real) UID É GID, ÉÄÅÎÔÉÆÉËÁÔÏÒ ÐÒÏÃÅÓÓÁ, ÉÄÅÎÔÉÆÉËÁÔÏÒ ÓÅÓÓÉÉ,
|
||
ÐÏÒÔ É ÁÄÒÅÓ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÏÓÕÝÅÓÔ×ÌÅÎ ×ÈÏÄ × ÓÉÓÔÅÍÕ.
|
||
ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ - ÉÄÅÎÔÉÆÉËÁÔÏÒ ÁÕÄÉÒÕÅÍÏÇÏ ÐÏÌØÚÏ×ÁÔÅÌÑ É ÒÅÁÌØÎÙÊ
|
||
ÉÄÅÎÔÉÆÉËÁÔÏÒ ÐÏÌØÚÏ×ÁÔÅÌÑ ÏÔÌÉÞÁÀÔÓÑ: ÜÔÏ ÚÎÁÞÉÔ, ÞÔÏ ÐÏÌØÚÏ×ÁÔÅÌØ
|
||
<literal>robert</literal> ÐÏ×ÙÓÉÌ ÐÒÉ×ÉÌÅÇÉÉ ÄÏ ÐÏÌØÚÏ×ÁÔÅÌÑ
|
||
<literal>root</literal> ÐÅÒÅÄ ×ÙÐÏÌÎÅÎÉÅÍ ËÏÍÁÎÄÙ, ÎÏ ÓÉÓÔÅÍÁ ÁÕÄÉÔÁ
|
||
ÚÁÎÅÓÌÁ ÅÇÏ ÄÅÊÓÔ×ÉÑ × ÖÕÒÎÁÌ ÉÓÐÏÌØÚÕÑ ÉÚÎÁÞÁÌØÎÙÊ ÉÄÅÎÔÉÆÉËÁÔÏÒ.
|
||
îÁËÏÎÅÃ, ÜÌÅÍÅÎÔ <literal>×ÏÚ×ÒÁÔ</literal> (return) ÏÐÉÓÙ×ÁÅÔ ÕÓÐÅÛÎÏÅ
|
||
ÚÁ×ÅÒÛÅÎÉÅ ÏÐÅÒÁÃÉÉ Ó ËÏÄÏÍ ÚÁ×ÅÒÛÅÎÉÑ 0, Á ÜÌÅÍÅÎÔ
|
||
<literal>trailer</literal> ÚÁ×ÅÒÛÁÅÔ ÚÁÐÉÓØ.</para>
|
||
|
||
</sect2>
|
||
|
||
<sect2>
|
||
<title>æÉÌØÔÒÁÃÉÑ ÖÕÒÎÁÌÏ× ÁÕÄÉÔÁ</title>
|
||
|
||
<para>ðÏÓËÏÌØËÕ ÌÏÇÉ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ ÍÏÇÕÔ ÉÍÅÔØ ÏÇÒÏÍÎÙÊ ÒÁÚÍÅÒ,
|
||
ÁÄÍÉÎÉÓÔÒÁÔÏÒÕ, ÚÁÞÁÓÔÕÀ, ÎÅÏÂÈÏÄÉÍÏ ×ÙÄÅÌÉÔØ ÔÏÌØËÏ ÞÁÓÔØ ÚÁÐÉÓÅÊ.
|
||
îÁÐÒÉÍÅÒ, ÚÁÐÉÓÉ, ÏÔÎÏÓÑÝÉÅÓÑ Ë ÏÐÒÅÄÅÌÅÎÎÏÍÕ ÐÏÌØÚÏ×ÁÔÅÌÀ:</para>
|
||
|
||
<screen>&prompt.root; <userinput>auditreduce -u trhodes /var/audit/AUDITFILE | praudit</userinput></screen>
|
||
|
||
<para>üÔÁ ËÏÍÁÎÄÁ ×ÙÄÅÌÉÔ ×ÓÅ ÚÁÐÉÓÉ, ÏÔÎÏÓÑÝÉÅÓÑ Ë ÐÏÌØÚÏ×ÁÔÅÌÀ
|
||
<username>trhodes</username>, ËÏÔÏÒÙÅ ÈÒÁÎÑÔÓÑ × ÆÁÊÌÅ
|
||
<filename><replaceable>AUDITFILE</replaceable></filename>.</para>
|
||
</sect2>
|
||
|
||
<sect2>
|
||
<title>äÅÌÅÇÉÒÏ×ÁÎÉÅ ÐÒÁ× ÐÒÏÓÍÏÔÒÁ ÖÕÒÎÁÌÁ</title>
|
||
|
||
<para>þÌÅÎÙ ÇÒÕÐÐÙ <groupname>audit</groupname> ÉÍÅÀÔ ÄÏÓÔÕÐ ÎÁ ÞÔÅÎÉÅ
|
||
Ë ÖÕÒÎÁÌÕ ÁÕÄÉÔÁ, ÎÁÈÏÄÑÝÅÍÕÓÑ × <filename>/var/audit</filename>;
|
||
ÐÏ ÕÍÏÌÞÁÎÉÀ ÜÔÁ ÇÒÕÐÐÁ ÐÕÓÔÁ, É ÔÏÌØËÏ <username>root</username>
|
||
ÉÍÅÅÔ Ë ÎÉÍ ÄÏÓÔÕÐ. äÌÑ ÔÏÇÏ, ÞÔÏ ÂÙ ÐÅÒÅÄÁÔØ ÐÏÌØÚÏ×ÁÔÅÌÀ ÐÒÁ×Á ÎÁ
|
||
ÞÔÅÎÉÅ ÖÕÒÎÁÌÁ, ÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÄÏÂÁ×ÉÔØ × ÇÒÕÐÐÕ <groupname>audit</groupname>.
|
||
ðÒÁ×Ï ÎÁ ÞÔÅÎÉÅ ÖÕÒÎÁÌÁ ÁÕÄÉÔÁ ÐÏÚ×ÏÌÑÅÔ ÐÏÌÕÞÉÔØ ÍÎÏÖÅÓÔ×Ï
|
||
ÉÎÆÏÒÍÁÃÉÉ Ï ÐÏ×ÅÄÅÎÉÉ ÐÏÌØÚÏ×ÁÔÅÌÅÊ É ÐÒÏÃÅÓÓÏ×, ÞÔÏ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë
|
||
ÒÁÓËÒÙÔÉÀ ËÏÎÆÉÄÅÎÃÉÁÌØÎÙÈ ÄÁÎÎÙÈ. ðÏÜÔÏÍÕ, ÒÅËÏÍÅÎÄÕÅÔÓÑ ÄÅÌÅÇÉÒÏ×ÁÔØ
|
||
ÐÒÁ×Á ÎÁ ÞÔÅÎÉÅ ÖÕÒÎÁÌÁ ÁÕÄÉÔÁ Ó ÂÏÌØÛÏÊ ÏÓÔÏÒÏÖÎÏÓÔØÀ.</para>
|
||
</sect2>
|
||
|
||
<sect2>
|
||
<title>íÏÎÉÔÏÒÉÎÇ ÓÉÓÔÅÍÙ × ÒÅÁÌØÎÏÍ ×ÒÅÍÅÎÉ</title>
|
||
|
||
<para>ðÏÔÏËÉ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ - ËÌÏÎÉÒÏ×ÁÎÎÙÅ ÐÓÅ×ÄÏ-ÕÓÔÒÏÊÓÔ×Á,
|
||
ÉÓÐÏÌØÚÕÑ ËÏÔÏÒÙÅ, ÐÒÉÌÏÖÅÎÉÑ ÍÏÇÕÔ ÐÏÌÕÞÁÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÉÓÔÅÍÎÙÈ
|
||
ÓÏÂÙÔÉÑÈ × ÒÅÁÌØÎÏÍ ×ÒÅÍÅÎÉ. ÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ, ÜÔÏ ÄÏÌÖÎÏ
|
||
ÚÁÉÎÔÅÒÅÓÏ×ÁÔØ Á×ÔÏÒÏ× ÐÒÏÇÒÁÍÍ ÄÌÑ ÍÏÎÉÔÏÒÉÎÇÁ É ÏÐÒÅÄÅÌÅÎÉÑ
|
||
×ÔÏÒÖÅÎÉÊ × ÓÉÓÔÅÍÕ. ôÅÍ ÎÅ ÍÅÎÅÅ, ÄÌÑ ÁÄÍÉÎÉÓÔÒÁÔÏÒÁ ÐÏÔÏËÉ
|
||
ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ ÍÏÇÕÔ ÓÔÁÔØ ÕÄÏÂÎÙÍ ÉÎÓÔÒÕÍÅÎÔÏÍ ÄÌÑ ÍÏÎÉÔÏÒÉÎÇÁ
|
||
× ÒÅÁÌØÎÏÍ ×ÒÅÍÅÎÉ ÂÅÚ ÔÏÇÏ, ÞÔÏÂÙ ×ÄÁ×ÁÔØÓÑ × ÄÅÔÁÌÉ ÏÂÅÓÐÅÞÅÎÉÑ
|
||
ÂÅÚÏÐÁÓÎÏÓÔÉ ÐÒÉ ÐÅÒÅÄÁÞÉ ÐÒÁ× ÎÁ ÞÔÅÎÉÅ ÖÕÒÎÁÌÁ ÁÕÄÉÔÁ. äÌÑ ÔÏÇÏ,
|
||
ÞÔÏÂÙ ÐÏÌÕÞÉÔØ ÐÏÔÏË ÓÏÂÙÔÉÊ × ÒÅÁÌØÎÏÍ ×ÒÅÍÅÎÉ ÉÓÐÏÌØÚÕÊÔÅ
|
||
ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:</para>
|
||
|
||
<screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen>
|
||
|
||
<para>ðÏ ÕÍÏÌÞÁÎÉÀ, ÐÏÔÏËÉ ÄÏÓÔÕÐÎÙ ÔÏÌØËÏ ÐÏÌØÚÏ×ÁÔÅÌÀ <username>root</username>. þÔÏÂÙ
|
||
ÓÄÅÌÁÔØ ÉÈ ÄÏÓÔÕÐÎÙÍÉ ÞÌÅÎÁÍ ÇÒÕÐÐÙ <groupname>audit</groupname> ÄÏÂÁ×ØÔÅ
|
||
ÐÒÁ×ÉÌÏ <literal>devfs</literal> × ÆÁÊÌ
|
||
<filename>devfs.rules</filename>:</para>
|
||
|
||
<programlisting>add path 'auditpipe*' mode 0440 group audit</programlisting>
|
||
|
||
<para>óÍÏÔÒÉÔÅ ÓÔÒÁÎÉÃÕ ÓÐÒÁ×ÏÞÎÉËÁ &man.devfs.rules.5; ÄÌÑ ÂÏÌÅÅ ÐÏÌÎÏÊ
|
||
ÉÎÆÏÒÍÁÃÉÉ Ï ÎÁÓÔÒÏÊËÅ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ devfs.</para>
|
||
|
||
<warning>
|
||
<para>ðÒÉ ÎÅÏÓÔÏÒÏÖÎÏÍ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ×ÏÚÍÏÖÎÏ ×ÏÚÎÉËÎÏ×ÅÎÉÅ ÂÅÓËÏÎÅÞÎÙÈ
|
||
ÃÉËÌÏ× ÓÏÂÙÔÉÊ. îÁÐÒÉÍÅÒ, ÅÓÌÉ ÁÕÄÉÔÕ ÐÏÄ×ÅÒÇÁÀÔÓÑ ×ÓÅ ÏÐÅÒÁÃÉÉ
|
||
ÓÅÔÅ×ÏÇÏ ××ÏÄÁ-×Ù×ÏÄÁ, É ËÏÍÁÎÄÁ <command>praudit</command>
|
||
ÚÁÐÕÝÅÎÁ ×Ï ×ÒÅÍÑ SSH-ÓÅÓÓÉÉ, ÔÏ ÌÀÂÏÅ ÓÏÂÙÔÉÅ ÐÏÒÏÄÉÔ ×Ù×ÏÄ
|
||
ÓÏÏÂÝÅÎÉÑ, ËÏÔÏÒÏÅ × Ó×ÏÀ ÏÞÅÒÅÄØ ÔÏÖÅ ÂÕÄÅÔ ÓÏÂÙÔÉÅÍ É ÔÁË ÄÏ
|
||
ÂÅÓËÏÎÅÞÎÏÓÔÉ. òÁÚÕÍÎÅÅ ÂÕÄÅÔ ÎÅ ÚÁÐÕÓËÁÔØ <command>praudit</command>
|
||
ÎÁ ÐÏÔÏËÅ ÓÏÂÙÔÉÊ ÉÚ ÓÅÓÓÉÉ, ËÏÔÏÒÁÑ ÄÅÔÁÌØÎÏ ÖÕÒÎÁÌÉÒÕÅÔÓÑ.</para>
|
||
</warning>
|
||
</sect2>
|
||
|
||
<sect2>
|
||
<title>òÏÔÁÃÉÑ ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ× ÁÕÄÉÔÁ</title>
|
||
|
||
<para>öÕÒÎÁÌ ÁÕÄÉÔÁ ÐÉÛÅÔÓÑ ÔÏÌØËÏ ÑÄÒÏÍ É ÕÐÒÁ×ÌÑÅÔÓÑ ÔÏÌØËÏ ÄÅÍÏÎÏÍ
|
||
ÁÕÄÉÔÁ <application>auditd</application>. áÄÍÉÎÉÓÔÒÁÔÏÒÙ ÎÅ ÄÏÌÖÎÙ ÐÙÔÁÔØÓÑ
|
||
ÉÓÐÏÌØÚÏ×ÁÔØ &man.newsyslog.conf.5; ÉÌÉ ÄÒÕÇÉÅ ÉÎÓÔÒÕÍÅÎÔÙ ÄÌÑ
|
||
ÐÒÑÍÏÊ ÒÏÔÁÃÉÉ ÌÏÇÏ×. ÷ÍÅÓÔÏ ÜÔÏÇÏ, ÄÌÑ ÐÒÅËÒÁÝÅÎÉÑ ÁÕÄÉÔÁ,
|
||
ÒÅËÏÎÆÉÇÕÒÁÃÉÉ É ÒÏÔÁÃÉÉ ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ× ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ
|
||
ËÏÍÁÎÄÁ <command>audit</command>. óÌÅÄÕÀÝÁÑ ËÏÍÁÎÄÁ ÐÒÉ×ÅÄÅÔ Ë
|
||
ÓÏÚÄÁÎÉÀ ÎÏ×ÏÇÏ ÖÕÒÎÁÌØÎÏÇÏ ÆÁÊÌÁ É ÄÁÓÔ ËÏÍÁÎÄÕ ÑÄÒÕ ÐÅÒÅËÌÀÞÉÔØÓÑ
|
||
ÎÁ ÚÁÐÉÓØ × ÜÔÏÔ ÆÁÊÌ. ðÒÏÔÏËÏÌÉÒÏ×ÁÎÉÅ × ÓÔÁÒÙÊ ÆÁÊÌ ÂÕÄÅÔ ÐÒÅËÒÁÝÅÎÏ, Á
|
||
ÓÁÍ ÆÁÊÌ - ÐÅÒÅÉÍÅÎÏ×ÁÎ. üÔÏ ÒÅËÏÍÅÎÄÏ×ÁÎÎÙÊ ÓÐÏÓÏ ÒÏÔÁÃÉÉ
|
||
ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ×.</para>
|
||
|
||
<screen>&prompt.root; <userinput>audit -n</userinput></screen>
|
||
|
||
<warning>
|
||
<para>åÓÌÉ ÄÅÍÏÎ <application>auditd</application> ÎÅ ÚÁÐÕÝÅÎ, ÔÏ ÜÔÁ ËÏÍÁÎÄÁ
|
||
ÏËÏÎÞÉÔÓÑ ÎÅÕÄÁÞÅÊ É ÂÕÄÅÔ ×Ù×ÅÄÅÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ.</para>
|
||
</warning>
|
||
|
||
<para>äÏÂÁ×ÌÅÎÉÅ ÓÌÅÄÕÀÝÅÊ ÓÔÒÏËÉ × ÆÁÊÌ
|
||
<filename>/etc/crontab</filename> ÐÒÉ×ÅÄÅÔ Ë ÐÒÉÎÕÄÉÔÅÌØÎÏÊ ÒÏÔÁÃÉÉ
|
||
ËÁÖÄÙÅ Ä×ÅÎÁÄÃÁÔØ ÞÁÓÏ× ÞÅÒÅÚ &man.cron.8;:</para>
|
||
|
||
<programlisting>0 */12 * * * root /usr/sbin/audit -n</programlisting>
|
||
|
||
<para>éÚÍÅÎÅÎÉÑ ×ÓÔÕÐÑÔ × ÓÉÌÕ ÐÏÓÌÅ ÓÏÈÒÁÎÅÎÉÑ ÆÁÊÌÁ
|
||
<filename>/etc/crontab</filename>.</para>
|
||
|
||
<para>á×ÔÏÍÁÔÉÞÅÓËÁÑ ÒÏÔÁÃÉÑ ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ× ×ÏÚÍÏÖÎÁ ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ
|
||
ÏÐÃÉÉ <option>filesz</option> × ÆÁÊÌÅ
|
||
&man.audit.control.5;, É ÏÐÉÓÁÎ × ÓÅËÃÉÉ
|
||
"æÏÒÍÁÔ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÏÇÏ ÆÁÊÌÁ".</para>
|
||
</sect2>
|
||
|
||
<sect2>
|
||
<title>óÖÁÔÉÅ ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ×</title>
|
||
|
||
<para>ðÏÓËÏÌØËÕ ÖÕÒÎÁÌØÎÙÅ ÆÁÊÌÙ ÍÏÇÕÔ ÄÏÓÔÉÇÁÔØ ÏÞÅÎØ ÂÏÌØÛÉÈ ÒÁÚÍÅÒÏ×,
|
||
ÍÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ÎÅÏÂÈÏÄÉÍÏÓÔØ ÓÖÉÍÁÔØ ÉÈ × ÃÅÌÑÈ ÈÒÁÎÅÎÉÑ ÓÒÁÚÕ ÖÅ
|
||
ÐÏÓÌÅ ÚÁËÒÙÔÉÑ ÉÈ ÄÅÍÏÎÏÍ <command>auditd</command>. äÌÑ ×ÙÐÏÌÎÅÎÉÑ
|
||
ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÍ ÄÅÊÓÔ×ÉÊ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÒÁÚÎÏÏÂÒÁÚÎÙÍ
|
||
ÓÏÂÙÔÉÑÍ ÓÉÓÔÅÍÙ ÁÕÄÉÔÁ, ×ËÌÀÞÁÑ ÎÏÒÍÁÌØÎÏÅ ÚÁ×ÅÒÛÅÎÉÅ ÒÁÂÏÔÙ ÓÉÓÔÅÍÙ
|
||
ÁÕÄÉÔÁ É ÆÉÌØÔÒÁÃÉÀ ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ×, ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎ ÓËÒÉÐÔ
|
||
<filename>audit_warn</filename>. îÁÐÒÉÍÅÒ, ÄÏÂÁ×ÌÅÎÉÅ ÓÌÅÄÕÀÝÉÈ ÓÔÒÏË
|
||
× ÆÁÊÌ <filename>audit_warn</filename> ÐÒÉ×ÅÄÅÔ Ë ÓÖÁÔÉÀ ÆÁÊÌÁ
|
||
ÐÏÓÌÅ ÅÇÏ ÚÁËÒÙÔÉÑ:</para>
|
||
|
||
<programlisting>#
|
||
# Compress audit trail files on close.
|
||
#
|
||
if [ "$1" = closefile ]; then
|
||
gzip -9 $2
|
||
fi</programlisting>
|
||
|
||
<para>ðÒÉÍÅÒÁÍÉ ÄÒÕÇÉÈ ÄÅÊÓÔ×ÉÊ ÍÏÇÕÔ ÂÙÔØ, ÎÁÐÒÉÍÅÒ, ËÏÐÉÒÏ×ÁÎÉÅ ÆÁÊÌÏ× × ÍÅÓÔÏ ÉÈ
|
||
ÐÏÓÌÅÄÕÀÝÅÇÏ ÈÒÁÎÅÎÉÑ, ÕÄÁÌÅÎÉÅ ÓÔÁÒÙÈ ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ×, ÆÉÌØÔÒÁÃÉÑ
|
||
ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ× ÄÌÑ ÕÄÁÌÅÎÉÑ ÎÅÎÕÖÎÙÈ ÚÁÐÉÓÅÊ. óËÒÉÐÔ
|
||
<filename>audit_warn</filename> ÂÕÄÅÔ ÚÁÐÕÝÅÎ ÔÏÌØËÏ ÔÏÌØËÏ ÐÒÉ
|
||
ËÏÒÒÅËÔÎÏÍ ÚÁËÒÙÔÉÉ ÖÕÒÎÁÌÁ ÓÉÓÔÅÍÏÊ ÁÕÄÉÔÁ É ÎÅ ÚÁÐÕÓÔÉÔÓÑ
|
||
ÄÌÑ ÖÕÒÎÁÌØÎÙÈ ÆÁÊÌÏ×, ÚÁÐÉÓØ × ËÏÔÏÒÙÅ ÂÙÌÁ ÐÒÅËÒÁÝÅÎÁ ×
|
||
ÒÅÚÕÌØÔÁÔÅ ÎÅËÏÒÒÅËÔÎÏÇÏ ÚÁ×ÅÒÛÅÎÉÑ.</para>
|
||
</sect2>
|
||
</sect1>
|
||
</chapter>
|