diff options
Diffstat (limited to 'documentation/content/en/books/handbook/audit/_index.po')
-rw-r--r-- | documentation/content/en/books/handbook/audit/_index.po | 1212 |
1 files changed, 1212 insertions, 0 deletions
diff --git a/documentation/content/en/books/handbook/audit/_index.po b/documentation/content/en/books/handbook/audit/_index.po new file mode 100644 index 0000000000..cfcb9f5639 --- /dev/null +++ b/documentation/content/en/books/handbook/audit/_index.po @@ -0,0 +1,1212 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR The FreeBSD Project +# This file is distributed under the same license as the FreeBSD Documentation package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: FreeBSD Documentation VERSION\n" +"POT-Creation-Date: 2023-07-15 16:41-0300\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. type: YAML Front Matter: description +#: documentation/content/en/books/handbook/audit/_index.adoc:1 +#, no-wrap +msgid "FreeBSD security event auditing supports reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access" +msgstr "" + +#. type: YAML Front Matter: part +#: documentation/content/en/books/handbook/audit/_index.adoc:1 +#, no-wrap +msgid "Part III. System Administration" +msgstr "" + +#. type: YAML Front Matter: title +#: documentation/content/en/books/handbook/audit/_index.adoc:1 +#, no-wrap +msgid "Chapter 19. Security Event Auditing" +msgstr "" + +#. type: Title = +#: documentation/content/en/books/handbook/audit/_index.adoc:14 +#, no-wrap +msgid "Security Event Auditing" +msgstr "" + +#. type: Title == +#: documentation/content/en/books/handbook/audit/_index.adoc:52 +#, no-wrap +msgid "Synopsis" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:58 +msgid "" +"The FreeBSD operating system includes support for security event auditing. " +"Event auditing supports reliable, fine-grained, and configurable logging of " +"a variety of security-relevant system events, including logins, " +"configuration changes, and file and network access. These log records can " +"be invaluable for live system monitoring, intrusion detection, and " +"postmortem analysis. FreeBSD implements Sun(TM)'s published Basic Security " +"Module (BSM) Application Programming Interface (API) and file format, and is " +"interoperable with the Solaris(TM) and Mac OS(R) X audit implementations." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:61 +msgid "" +"This chapter focuses on the installation and configuration of event " +"auditing. It explains audit policies and provides an example audit " +"configuration." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:63 +msgid "After reading this chapter, you will know:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:65 +msgid "What event auditing is and how it works." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:66 +msgid "How to configure event auditing on FreeBSD for users and processes." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:67 +msgid "" +"How to review the audit trail using the audit reduction and review tools." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:69 +msgid "Before reading this chapter, you should:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:71 +msgid "" +"Understand UNIX(R) and FreeBSD basics (crossref:basics[basics,FreeBSD " +"Basics])." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:72 +msgid "" +"Be familiar with the basics of kernel configuration/compilation (crossref:" +"kernelconfig[kernelconfig,Configuring the FreeBSD Kernel])." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:73 +msgid "" +"Have some familiarity with security and how it pertains to FreeBSD (crossref:" +"security[security,Security])." +msgstr "" + +#. type: delimited block = 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:78 +msgid "" +"The audit facility has some known limitations. Not all security-relevant " +"system events are auditable and some login mechanisms, such as Xorg-based " +"display managers and third-party daemons, do not properly configure auditing " +"for user login sessions." +msgstr "" + +#. type: delimited block = 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:83 +msgid "" +"The security event auditing facility is able to generate very detailed logs " +"of system activity. On a busy system, trail file data can be very large " +"when configured for high detail, exceeding gigabytes a week in some " +"configurations. Administrators should take into account the disk space " +"requirements associated with high volume audit configurations. For example, " +"it may be desirable to dedicate a file system to [.filename]#/var/audit# so " +"that other file systems are not affected if the audit file system becomes " +"full." +msgstr "" + +#. type: Title == +#: documentation/content/en/books/handbook/audit/_index.adoc:86 +#, no-wrap +msgid "Key Terms" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:89 +msgid "The following terms are related to security event auditing:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:91 +msgid "" +"_event_: an auditable event is any event that can be logged using the audit " +"subsystem. Examples of security-relevant events include the creation of a " +"file, the building of a network connection, or a user logging in. Events are " +"either \"attributable\", meaning that they can be traced to an authenticated " +"user, or \"non-attributable\". Examples of non-attributable events are any " +"events that occur before authentication in the login process, such as bad " +"password attempts." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:92 +msgid "" +"_class_: a named set of related events which are used in selection " +"expressions. Commonly used classes of events include \"file creation\" (fc), " +"\"exec\" (ex), and \"login_logout\" (lo)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:93 +msgid "" +"_record_: an audit log entry describing a security event. Records contain a " +"record event type, information on the subject (user) performing the action, " +"date and time information, information on any objects or arguments, and a " +"success or failure condition." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:94 +msgid "" +"_trail_: a log file consisting of a series of audit records describing " +"security events. Trails are in roughly chronological order with respect to " +"the time events completed. Only authorized processes are allowed to commit " +"records to the audit trail." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:95 +msgid "" +"_selection expression_: a string containing a list of prefixes and audit " +"event class names used to match events." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:96 +msgid "" +"_preselection_: the process by which the system identifies which events are " +"of interest to the administrator. The preselection configuration uses a " +"series of selection expressions to identify which classes of events to audit " +"for which users, as well as global settings that apply to both authenticated " +"and unauthenticated processes." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:97 +msgid "" +"_reduction_: the process by which records from existing audit trails are " +"selected for preservation, printing, or analysis. Likewise, the process by " +"which undesired audit records are removed from the audit trail. Using " +"reduction, administrators can implement policies for the preservation of " +"audit data. For example, detailed audit trails might be kept for one month, " +"but after that, trails might be reduced in order to preserve only login " +"information for archival purposes." +msgstr "" + +#. type: Title == +#: documentation/content/en/books/handbook/audit/_index.adoc:99 +#, no-wrap +msgid "Audit Configuration" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:103 +msgid "" +"User space support for event auditing is installed as part of the base " +"FreeBSD operating system. Kernel support is available in the [." +"filename]#GENERIC# kernel by default, and man:auditd[8] can be enabled by " +"adding the following line to [.filename]#/etc/rc.conf#:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:107 +#, no-wrap +msgid "auditd_enable=\"YES\"\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:110 +msgid "Then, start the audit daemon:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:114 +#, no-wrap +msgid "# service auditd start\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:117 +msgid "" +"Users who prefer to compile a custom kernel must include the following line " +"in their custom kernel configuration file:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:121 +#, no-wrap +msgid "options\tAUDIT\n" +msgstr "" + +#. type: Title === +#: documentation/content/en/books/handbook/audit/_index.adoc:123 +#, no-wrap +msgid "Event Selection Expressions" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:128 +msgid "" +"Selection expressions are used in a number of places in the audit " +"configuration to determine which events should be audited. Expressions " +"contain a list of event classes to match. Selection expressions are " +"evaluated from left to right, and two expressions are combined by appending " +"one onto the other." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:130 +msgid "<<event-selection>> summarizes the default audit event classes:" +msgstr "" + +#. type: Block title +#: documentation/content/en/books/handbook/audit/_index.adoc:132 +#, no-wrap +msgid "Default Audit Event Classes" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:136 +#, no-wrap +msgid "Class Name" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:137 +#, no-wrap +msgid "Description" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:139 +#: documentation/content/en/books/handbook/audit/_index.adoc:232 +#, no-wrap +msgid "Action" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:140 +#: documentation/content/en/books/handbook/audit/_index.adoc:141 +#, no-wrap +msgid "all" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:143 +#, no-wrap +msgid "Match all event classes." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:144 +#, no-wrap +msgid "aa" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:145 +#, no-wrap +msgid "authentication and authorization" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:148 +#, no-wrap +msgid "ad" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:149 +#, no-wrap +msgid "administrative" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:151 +#, no-wrap +msgid "Administrative actions performed on the system as a whole." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:152 +#, no-wrap +msgid "ap" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:153 +#, no-wrap +msgid "application" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:155 +#, no-wrap +msgid "Application defined action." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:156 +#, no-wrap +msgid "cl" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:157 +#, no-wrap +msgid "file close" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:159 +#, no-wrap +msgid "Audit calls to the `close` system call." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:160 +#, no-wrap +msgid "ex" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:161 +#, no-wrap +msgid "exec" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:163 +#, no-wrap +msgid "Audit program execution. Auditing of command line arguments and environmental variables is controlled via man:audit_control[5] using the `argv` and `envv` parameters to the `policy` setting." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:164 +#, no-wrap +msgid "fa" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:165 +#, no-wrap +msgid "file attribute access" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:167 +#, no-wrap +msgid "Audit the access of object attributes such as man:stat[1] and man:pathconf[2]." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:168 +#, no-wrap +msgid "fc" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:169 +#, no-wrap +msgid "file create" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:171 +#, no-wrap +msgid "Audit events where a file is created as a result." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:172 +#, no-wrap +msgid "fd" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:173 +#, no-wrap +msgid "file delete" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:175 +#, no-wrap +msgid "Audit events where file deletion occurs." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:176 +#, no-wrap +msgid "fm" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:177 +#, no-wrap +msgid "file attribute modify" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:179 +#, no-wrap +msgid "Audit events where file attribute modification occurs, such as by man:chown[8], man:chflags[1], and man:flock[2]." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:180 +#, no-wrap +msgid "fr" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:181 +#, no-wrap +msgid "file read" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:183 +#, no-wrap +msgid "Audit events in which data is read or files are opened for reading." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:184 +#, no-wrap +msgid "fw" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:185 +#, no-wrap +msgid "file write" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:187 +#, no-wrap +msgid "Audit events in which data is written or files are written or modified." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:188 +#, no-wrap +msgid "io" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:189 +#, no-wrap +msgid "ioctl" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:191 +#, no-wrap +msgid "Audit use of the `ioctl` system call." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:192 +#, no-wrap +msgid "ip" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:193 +#, no-wrap +msgid "ipc" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:195 +#, no-wrap +msgid "Audit various forms of Inter-Process Communication, including POSIX pipes and System V IPC operations." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:196 +#, no-wrap +msgid "lo" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:197 +#, no-wrap +msgid "login_logout" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:199 +#, no-wrap +msgid "Audit man:login[1] and man:logout[1] events." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:200 +#, no-wrap +msgid "na" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:201 +#, no-wrap +msgid "non attributable" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:203 +#, no-wrap +msgid "Audit non-attributable events." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:204 +#, no-wrap +msgid "no" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:205 +#, no-wrap +msgid "invalid class" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:207 +#, no-wrap +msgid "Match no audit events." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:208 +#, no-wrap +msgid "nt" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:209 +#, no-wrap +msgid "network" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:211 +#, no-wrap +msgid "Audit events related to network actions such as man:connect[2] and man:accept[2]." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:212 +#, no-wrap +msgid "ot" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:213 +#, no-wrap +msgid "other" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:215 +#, no-wrap +msgid "Audit miscellaneous events." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:216 +#, no-wrap +msgid "pc" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:217 +#, no-wrap +msgid "process" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:218 +#, no-wrap +msgid "Audit process operations such as man:exec[3] and man:exit[3]." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:221 +msgid "" +"These audit event classes may be customized by modifying the [." +"filename]#audit_class# and [.filename]#audit_event# configuration files." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:224 +msgid "" +"Each audit event class may be combined with a prefix indicating whether " +"successful/failed operations are matched, and whether the entry is adding or " +"removing matching for the class and type. <<event-prefixes>> summarizes the " +"available prefixes:" +msgstr "" + +#. type: Block title +#: documentation/content/en/books/handbook/audit/_index.adoc:226 +#, no-wrap +msgid "Prefixes for Audit Event Classes" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:230 +#, no-wrap +msgid "Prefix" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:233 +#, no-wrap +msgid "+" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:235 +#, no-wrap +msgid "Audit successful events in this class." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:236 +#, no-wrap +msgid "-" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:238 +#, no-wrap +msgid "Audit failed events in this class." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:239 +#, no-wrap +msgid "^" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:241 +#, no-wrap +msgid "Audit neither successful nor failed events in this class." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:242 +#, no-wrap +msgid "^+" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:244 +#, no-wrap +msgid "Do not audit successful events in this class." +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:245 +#, no-wrap +msgid "^-" +msgstr "" + +#. type: Table +#: documentation/content/en/books/handbook/audit/_index.adoc:246 +#, no-wrap +msgid "Do not audit failed events in this class." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:249 +msgid "" +"If no prefix is present, both successful and failed instances of the event " +"will be audited." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:251 +msgid "" +"The following example selection string selects both successful and failed " +"login/logout events, but only successful execution events:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:255 +#, no-wrap +msgid "lo,+ex\n" +msgstr "" + +#. type: Title === +#: documentation/content/en/books/handbook/audit/_index.adoc:257 +#, no-wrap +msgid "Configuration Files" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:260 +msgid "" +"The following configuration files for security event auditing are found in [." +"filename]#/etc/security#:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:262 +msgid "" +"[.filename]#audit_class#: contains the definitions of the audit classes." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:263 +msgid "" +"[.filename]#audit_control#: controls aspects of the audit subsystem, such as " +"default audit classes, minimum disk space to leave on the audit log volume, " +"and maximum audit trail size." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:264 +msgid "" +"[.filename]#audit_event#: textual names and descriptions of system audit " +"events and a list of which classes each event is in." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:265 +msgid "" +"[.filename]#audit_user#: user-specific audit requirements to be combined " +"with the global defaults at login." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:266 +msgid "" +"[.filename]#audit_warn#: a customizable shell script used by man:auditd[8] " +"to generate warning messages in exceptional situations, such as when space " +"for audit records is running low or when the audit trail file has been " +"rotated." +msgstr "" + +#. type: delimited block = 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:270 +msgid "" +"Audit configuration files should be edited and maintained carefully, as " +"errors in configuration may result in improper logging of events." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:274 +msgid "" +"In most cases, administrators will only need to modify [." +"filename]#audit_control# and [.filename]#audit_user#. The first file " +"controls system-wide audit properties and policies and the second file may " +"be used to fine-tune auditing by user." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/handbook/audit/_index.adoc:276 +#, no-wrap +msgid "The [.filename]#audit_control# File" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:279 +msgid "" +"A number of defaults for the audit subsystem are specified in [." +"filename]#audit_control#:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:290 +#, no-wrap +msgid "" +"dir:/var/audit\n" +"dist:off\n" +"flags:lo,aa\n" +"minfree:5\n" +"naflags:lo,aa\n" +"policy:cnt,argv\n" +"filesz:2M\n" +"expire-after:10M\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:295 +msgid "" +"The `dir` entry is used to set one or more directories where audit logs will " +"be stored. If more than one directory entry appears, they will be used in " +"order as they fill. It is common to configure audit so that audit logs are " +"stored on a dedicated file system, in order to prevent interference between " +"the audit subsystem and other subsystems if the file system fills." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:297 +msgid "" +"If the `dist` field is set to `on` or `yes`, hard links will be created to " +"all trail files in [.filename]#/var/audit/dist#." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:300 +msgid "" +"The `flags` field sets the system-wide default preselection mask for " +"attributable events. In the example above, successful and failed login/" +"logout events as well as authentication and authorization are audited for " +"all users." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:302 +msgid "" +"The `minfree` entry defines the minimum percentage of free space for the " +"file system where the audit trail is stored." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:304 +msgid "" +"The `naflags` entry specifies audit classes to be audited for non-attributed " +"events, such as the login/logout process and authentication and " +"authorization." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:308 +msgid "" +"The `policy` entry specifies a comma-separated list of policy flags " +"controlling various aspects of audit behavior. The `cnt` indicates that the " +"system should continue running despite an auditing failure (this flag is " +"highly recommended). The other flag, `argv`, causes command line arguments " +"to the man:execve[2] system call to be audited as part of command execution." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:312 +msgid "" +"The `filesz` entry specifies the maximum size for an audit trail before " +"automatically terminating and rotating the trail file. A value of `0` " +"disables automatic log rotation. If the requested file size is below the " +"minimum of 512k, it will be ignored and a log message will be generated." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:314 +msgid "" +"The `expire-after` field specifies when audit log files will expire and be " +"removed." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/handbook/audit/_index.adoc:316 +#, no-wrap +msgid "The [.filename]#audit_user# File" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:320 +msgid "" +"The administrator can specify further audit requirements for specific users " +"in [.filename]#audit_user#. Each line configures auditing for a user via " +"two fields: the `alwaysaudit` field specifies a set of events that should " +"always be audited for the user, and the `neveraudit` field specifies a set " +"of events that should never be audited for the user." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:323 +msgid "" +"The following example entries audit login/logout events and successful " +"command execution for `root` and file creation and successful command " +"execution for `www`. If used with the default [.filename]#audit_control#, " +"the `lo` entry for `root` is redundant, and login/logout events will also be " +"audited for `www`." +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:328 +#, no-wrap +msgid "" +"root:lo,+ex:no\n" +"www:fc,+ex:no\n" +msgstr "" + +#. type: Title == +#: documentation/content/en/books/handbook/audit/_index.adoc:331 +#, no-wrap +msgid "Working with Audit Trails" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:337 +msgid "" +"Since audit trails are stored in the BSM binary format, several built-in " +"tools are available to modify or convert these trails to text. To convert " +"trail files to a simple text format, use `praudit`. To reduce the audit " +"trail file for analysis, archiving, or printing purposes, use " +"`auditreduce`. This utility supports a variety of selection parameters, " +"including event type, event class, user, date or time of the event, and the " +"file path or object acted on." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:339 +msgid "" +"For example, to dump the entire contents of a specified audit log in plain " +"text:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:343 +#, no-wrap +msgid "# praudit /var/audit/AUDITFILE\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:346 +msgid "Where _AUDITFILE_ is the audit log to dump." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:350 +msgid "" +"Audit trails consist of a series of audit records made up of tokens, which " +"`praudit` prints sequentially, one per line. Each token is of a specific " +"type, such as `header` (an audit record header) or `path` (a file path from " +"a name lookup). The following is an example of an `execve` event:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:360 +#, no-wrap +msgid "" +"header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec\n" +"exec arg,finger,doug\n" +"path,/usr/bin/finger\n" +"attribute,555,root,wheel,90,24918,104944\n" +"subject,robert,root,wheel,root,wheel,38439,38032,42086,128.232.9.100\n" +"return,success,0\n" +"trailer,133\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:369 +msgid "" +"This audit represents a successful `execve` call, in which the command " +"`finger doug` has been run. The `exec arg` token contains the processed " +"command line presented by the shell to the kernel. The `path` token holds " +"the path to the executable as looked up by the kernel. The `attribute` " +"token describes the binary and includes the file mode. The `subject` token " +"stores the audit user ID, effective user ID and group ID, real user ID and " +"group ID, process ID, session ID, port ID, and login address. Notice that " +"the audit user ID and real user ID differ as the user `robert` switched to " +"the `root` account before running this command, but it is audited using the " +"original authenticated user. The `return` token indicates the successful " +"execution and the `trailer` concludes the record." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:371 +msgid "" +"XML output format is also supported and can be selected by including `-x`." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:374 +msgid "" +"Since audit logs may be very large, a subset of records can be selected " +"using `auditreduce`. This example selects all audit records produced for " +"the user `trhodes` stored in [.filename]#AUDITFILE#:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:378 +#, no-wrap +msgid "# auditreduce -u trhodes /var/audit/AUDITFILE | praudit\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:384 +msgid "" +"Members of the `audit` group have permission to read audit trails in [." +"filename]#/var/audit#. By default, this group is empty, so only the `root` " +"user can read audit trails. Users may be added to the `audit` group in " +"order to delegate audit review rights. As the ability to track audit log " +"contents provides significant insight into the behavior of users and " +"processes, it is recommended that the delegation of audit review rights be " +"performed with caution." +msgstr "" + +#. type: Title === +#: documentation/content/en/books/handbook/audit/_index.adoc:385 +#, no-wrap +msgid "Live Monitoring Using Audit Pipes" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:391 +msgid "" +"Audit pipes are cloning pseudo-devices which allow applications to tap the " +"live audit record stream. This is primarily of interest to authors of " +"intrusion detection and system monitoring applications. However, the audit " +"pipe device is a convenient way for the administrator to allow live " +"monitoring without running into problems with audit trail file ownership or " +"log rotation interrupting the event stream. To track the live audit event " +"stream:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:395 +#, no-wrap +msgid "# praudit /dev/auditpipe\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:399 +msgid "" +"By default, audit pipe device nodes are accessible only to the `root` user. " +"To make them accessible to the members of the `audit` group, add a `devfs` " +"rule to [.filename]#/etc/devfs.rules#:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:403 +#, no-wrap +msgid "add path 'auditpipe*' mode 0440 group audit\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:406 +msgid "" +"See man:devfs.rules[5] for more information on configuring the devfs file " +"system." +msgstr "" + +#. type: delimited block = 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:412 +msgid "" +"It is easy to produce audit event feedback cycles, in which the viewing of " +"each audit event results in the generation of more audit events. For " +"example, if all network I/O is audited, and `praudit` is run from an SSH " +"session, a continuous stream of audit events will be generated at a high " +"rate, as each event being printed will generate another event. For this " +"reason, it is advisable to run `praudit` on an audit pipe device from " +"sessions without fine-grained I/O auditing." +msgstr "" + +#. type: Title === +#: documentation/content/en/books/handbook/audit/_index.adoc:414 +#, no-wrap +msgid "Rotating and Compressing Audit Trail Files" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:421 +msgid "" +"Audit trails are written to by the kernel and managed by the audit daemon, " +"man:auditd[8]. Administrators should not attempt to use man:newsyslog." +"conf[5] or other tools to directly rotate audit logs. Instead, `audit` " +"should be used to shut down auditing, reconfigure the audit system, and " +"perform log rotation. The following command causes the audit daemon to " +"create a new audit log and signal the kernel to switch to using the new " +"log. The old log will be terminated and renamed, at which point it may then " +"be manipulated by the administrator:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:425 +#, no-wrap +msgid "# audit -n\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:428 +msgid "" +"If man:auditd[8] is not currently running, this command will fail and an " +"error message will be produced." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:430 +msgid "" +"Adding the following line to [.filename]#/etc/crontab# will schedule this " +"rotation every twelve hours:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:434 +#, no-wrap +msgid "0 */12 * * * root /usr/sbin/audit -n\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:437 +msgid "The change will take effect once [.filename]#/etc/crontab# is saved." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:439 +msgid "" +"Automatic rotation of the audit trail file based on file size is possible " +"using `filesz` in [.filename]#audit_control# as described in <<audit-" +"auditcontrol>>." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:443 +msgid "" +"As audit trail files can become very large, it is often desirable to " +"compress or otherwise archive trails once they have been closed by the audit " +"daemon. The [.filename]#audit_warn# script can be used to perform " +"customized operations for a variety of audit-related events, including the " +"clean termination of audit trails when they are rotated. For example, the " +"following may be added to [.filename]#/etc/security/audit_warn# to compress " +"audit trails on close:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/handbook/audit/_index.adoc:452 +#, no-wrap +msgid "" +"#\n" +"# Compress audit trail files on close.\n" +"#\n" +"if [ \"$1\" = closefile ]; then\n" +" gzip -9 $2\n" +"fi\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/handbook/audit/_index.adoc:456 +msgid "" +"Other archiving activities might include copying trail files to a " +"centralized server, deleting old trail files, or reducing the audit trail to " +"remove unneeded records. This script will be run only when audit trail " +"files are cleanly terminated. It will not be run on trails left " +"unterminated following an improper shutdown." +msgstr "" |