aboutsummaryrefslogtreecommitdiff
path: root/documentation/content/en/books/handbook/audit/_index.po
diff options
context:
space:
mode:
Diffstat (limited to 'documentation/content/en/books/handbook/audit/_index.po')
-rw-r--r--documentation/content/en/books/handbook/audit/_index.po1212
1 files changed, 1212 insertions, 0 deletions
diff --git a/documentation/content/en/books/handbook/audit/_index.po b/documentation/content/en/books/handbook/audit/_index.po
new file mode 100644
index 0000000000..cfcb9f5639
--- /dev/null
+++ b/documentation/content/en/books/handbook/audit/_index.po
@@ -0,0 +1,1212 @@
+# SOME DESCRIPTIVE TITLE
+# Copyright (C) YEAR The FreeBSD Project
+# This file is distributed under the same license as the FreeBSD Documentation package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: FreeBSD Documentation VERSION\n"
+"POT-Creation-Date: 2023-07-15 16:41-0300\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. type: YAML Front Matter: description
+#: documentation/content/en/books/handbook/audit/_index.adoc:1
+#, no-wrap
+msgid "FreeBSD security event auditing supports reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access"
+msgstr ""
+
+#. type: YAML Front Matter: part
+#: documentation/content/en/books/handbook/audit/_index.adoc:1
+#, no-wrap
+msgid "Part III. System Administration"
+msgstr ""
+
+#. type: YAML Front Matter: title
+#: documentation/content/en/books/handbook/audit/_index.adoc:1
+#, no-wrap
+msgid "Chapter 19. Security Event Auditing"
+msgstr ""
+
+#. type: Title =
+#: documentation/content/en/books/handbook/audit/_index.adoc:14
+#, no-wrap
+msgid "Security Event Auditing"
+msgstr ""
+
+#. type: Title ==
+#: documentation/content/en/books/handbook/audit/_index.adoc:52
+#, no-wrap
+msgid "Synopsis"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:58
+msgid ""
+"The FreeBSD operating system includes support for security event auditing. "
+"Event auditing supports reliable, fine-grained, and configurable logging of "
+"a variety of security-relevant system events, including logins, "
+"configuration changes, and file and network access. These log records can "
+"be invaluable for live system monitoring, intrusion detection, and "
+"postmortem analysis. FreeBSD implements Sun(TM)'s published Basic Security "
+"Module (BSM) Application Programming Interface (API) and file format, and is "
+"interoperable with the Solaris(TM) and Mac OS(R) X audit implementations."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:61
+msgid ""
+"This chapter focuses on the installation and configuration of event "
+"auditing. It explains audit policies and provides an example audit "
+"configuration."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:63
+msgid "After reading this chapter, you will know:"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:65
+msgid "What event auditing is and how it works."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:66
+msgid "How to configure event auditing on FreeBSD for users and processes."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:67
+msgid ""
+"How to review the audit trail using the audit reduction and review tools."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:69
+msgid "Before reading this chapter, you should:"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:71
+msgid ""
+"Understand UNIX(R) and FreeBSD basics (crossref:basics[basics,FreeBSD "
+"Basics])."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:72
+msgid ""
+"Be familiar with the basics of kernel configuration/compilation (crossref:"
+"kernelconfig[kernelconfig,Configuring the FreeBSD Kernel])."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:73
+msgid ""
+"Have some familiarity with security and how it pertains to FreeBSD (crossref:"
+"security[security,Security])."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:78
+msgid ""
+"The audit facility has some known limitations. Not all security-relevant "
+"system events are auditable and some login mechanisms, such as Xorg-based "
+"display managers and third-party daemons, do not properly configure auditing "
+"for user login sessions."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:83
+msgid ""
+"The security event auditing facility is able to generate very detailed logs "
+"of system activity. On a busy system, trail file data can be very large "
+"when configured for high detail, exceeding gigabytes a week in some "
+"configurations. Administrators should take into account the disk space "
+"requirements associated with high volume audit configurations. For example, "
+"it may be desirable to dedicate a file system to [.filename]#/var/audit# so "
+"that other file systems are not affected if the audit file system becomes "
+"full."
+msgstr ""
+
+#. type: Title ==
+#: documentation/content/en/books/handbook/audit/_index.adoc:86
+#, no-wrap
+msgid "Key Terms"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:89
+msgid "The following terms are related to security event auditing:"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:91
+msgid ""
+"_event_: an auditable event is any event that can be logged using the audit "
+"subsystem. Examples of security-relevant events include the creation of a "
+"file, the building of a network connection, or a user logging in. Events are "
+"either \"attributable\", meaning that they can be traced to an authenticated "
+"user, or \"non-attributable\". Examples of non-attributable events are any "
+"events that occur before authentication in the login process, such as bad "
+"password attempts."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:92
+msgid ""
+"_class_: a named set of related events which are used in selection "
+"expressions. Commonly used classes of events include \"file creation\" (fc), "
+"\"exec\" (ex), and \"login_logout\" (lo)."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:93
+msgid ""
+"_record_: an audit log entry describing a security event. Records contain a "
+"record event type, information on the subject (user) performing the action, "
+"date and time information, information on any objects or arguments, and a "
+"success or failure condition."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:94
+msgid ""
+"_trail_: a log file consisting of a series of audit records describing "
+"security events. Trails are in roughly chronological order with respect to "
+"the time events completed. Only authorized processes are allowed to commit "
+"records to the audit trail."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:95
+msgid ""
+"_selection expression_: a string containing a list of prefixes and audit "
+"event class names used to match events."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:96
+msgid ""
+"_preselection_: the process by which the system identifies which events are "
+"of interest to the administrator. The preselection configuration uses a "
+"series of selection expressions to identify which classes of events to audit "
+"for which users, as well as global settings that apply to both authenticated "
+"and unauthenticated processes."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:97
+msgid ""
+"_reduction_: the process by which records from existing audit trails are "
+"selected for preservation, printing, or analysis. Likewise, the process by "
+"which undesired audit records are removed from the audit trail. Using "
+"reduction, administrators can implement policies for the preservation of "
+"audit data. For example, detailed audit trails might be kept for one month, "
+"but after that, trails might be reduced in order to preserve only login "
+"information for archival purposes."
+msgstr ""
+
+#. type: Title ==
+#: documentation/content/en/books/handbook/audit/_index.adoc:99
+#, no-wrap
+msgid "Audit Configuration"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:103
+msgid ""
+"User space support for event auditing is installed as part of the base "
+"FreeBSD operating system. Kernel support is available in the [."
+"filename]#GENERIC# kernel by default, and man:auditd[8] can be enabled by "
+"adding the following line to [.filename]#/etc/rc.conf#:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:107
+#, no-wrap
+msgid "auditd_enable=\"YES\"\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:110
+msgid "Then, start the audit daemon:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:114
+#, no-wrap
+msgid "# service auditd start\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:117
+msgid ""
+"Users who prefer to compile a custom kernel must include the following line "
+"in their custom kernel configuration file:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:121
+#, no-wrap
+msgid "options\tAUDIT\n"
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/audit/_index.adoc:123
+#, no-wrap
+msgid "Event Selection Expressions"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:128
+msgid ""
+"Selection expressions are used in a number of places in the audit "
+"configuration to determine which events should be audited. Expressions "
+"contain a list of event classes to match. Selection expressions are "
+"evaluated from left to right, and two expressions are combined by appending "
+"one onto the other."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:130
+msgid "<<event-selection>> summarizes the default audit event classes:"
+msgstr ""
+
+#. type: Block title
+#: documentation/content/en/books/handbook/audit/_index.adoc:132
+#, no-wrap
+msgid "Default Audit Event Classes"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:136
+#, no-wrap
+msgid "Class Name"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:137
+#, no-wrap
+msgid "Description"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:139
+#: documentation/content/en/books/handbook/audit/_index.adoc:232
+#, no-wrap
+msgid "Action"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:140
+#: documentation/content/en/books/handbook/audit/_index.adoc:141
+#, no-wrap
+msgid "all"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:143
+#, no-wrap
+msgid "Match all event classes."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:144
+#, no-wrap
+msgid "aa"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:145
+#, no-wrap
+msgid "authentication and authorization"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:148
+#, no-wrap
+msgid "ad"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:149
+#, no-wrap
+msgid "administrative"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:151
+#, no-wrap
+msgid "Administrative actions performed on the system as a whole."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:152
+#, no-wrap
+msgid "ap"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:153
+#, no-wrap
+msgid "application"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:155
+#, no-wrap
+msgid "Application defined action."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:156
+#, no-wrap
+msgid "cl"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:157
+#, no-wrap
+msgid "file close"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:159
+#, no-wrap
+msgid "Audit calls to the `close` system call."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:160
+#, no-wrap
+msgid "ex"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:161
+#, no-wrap
+msgid "exec"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:163
+#, no-wrap
+msgid "Audit program execution. Auditing of command line arguments and environmental variables is controlled via man:audit_control[5] using the `argv` and `envv` parameters to the `policy` setting."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:164
+#, no-wrap
+msgid "fa"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:165
+#, no-wrap
+msgid "file attribute access"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:167
+#, no-wrap
+msgid "Audit the access of object attributes such as man:stat[1] and man:pathconf[2]."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:168
+#, no-wrap
+msgid "fc"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:169
+#, no-wrap
+msgid "file create"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:171
+#, no-wrap
+msgid "Audit events where a file is created as a result."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:172
+#, no-wrap
+msgid "fd"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:173
+#, no-wrap
+msgid "file delete"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:175
+#, no-wrap
+msgid "Audit events where file deletion occurs."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:176
+#, no-wrap
+msgid "fm"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:177
+#, no-wrap
+msgid "file attribute modify"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:179
+#, no-wrap
+msgid "Audit events where file attribute modification occurs, such as by man:chown[8], man:chflags[1], and man:flock[2]."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:180
+#, no-wrap
+msgid "fr"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:181
+#, no-wrap
+msgid "file read"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:183
+#, no-wrap
+msgid "Audit events in which data is read or files are opened for reading."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:184
+#, no-wrap
+msgid "fw"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:185
+#, no-wrap
+msgid "file write"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:187
+#, no-wrap
+msgid "Audit events in which data is written or files are written or modified."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:188
+#, no-wrap
+msgid "io"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:189
+#, no-wrap
+msgid "ioctl"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:191
+#, no-wrap
+msgid "Audit use of the `ioctl` system call."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:192
+#, no-wrap
+msgid "ip"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:193
+#, no-wrap
+msgid "ipc"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:195
+#, no-wrap
+msgid "Audit various forms of Inter-Process Communication, including POSIX pipes and System V IPC operations."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:196
+#, no-wrap
+msgid "lo"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:197
+#, no-wrap
+msgid "login_logout"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:199
+#, no-wrap
+msgid "Audit man:login[1] and man:logout[1] events."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:200
+#, no-wrap
+msgid "na"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:201
+#, no-wrap
+msgid "non attributable"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:203
+#, no-wrap
+msgid "Audit non-attributable events."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:204
+#, no-wrap
+msgid "no"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:205
+#, no-wrap
+msgid "invalid class"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:207
+#, no-wrap
+msgid "Match no audit events."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:208
+#, no-wrap
+msgid "nt"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:209
+#, no-wrap
+msgid "network"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:211
+#, no-wrap
+msgid "Audit events related to network actions such as man:connect[2] and man:accept[2]."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:212
+#, no-wrap
+msgid "ot"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:213
+#, no-wrap
+msgid "other"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:215
+#, no-wrap
+msgid "Audit miscellaneous events."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:216
+#, no-wrap
+msgid "pc"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:217
+#, no-wrap
+msgid "process"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:218
+#, no-wrap
+msgid "Audit process operations such as man:exec[3] and man:exit[3]."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:221
+msgid ""
+"These audit event classes may be customized by modifying the [."
+"filename]#audit_class# and [.filename]#audit_event# configuration files."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:224
+msgid ""
+"Each audit event class may be combined with a prefix indicating whether "
+"successful/failed operations are matched, and whether the entry is adding or "
+"removing matching for the class and type. <<event-prefixes>> summarizes the "
+"available prefixes:"
+msgstr ""
+
+#. type: Block title
+#: documentation/content/en/books/handbook/audit/_index.adoc:226
+#, no-wrap
+msgid "Prefixes for Audit Event Classes"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:230
+#, no-wrap
+msgid "Prefix"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:233
+#, no-wrap
+msgid "+"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:235
+#, no-wrap
+msgid "Audit successful events in this class."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:236
+#, no-wrap
+msgid "-"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:238
+#, no-wrap
+msgid "Audit failed events in this class."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:239
+#, no-wrap
+msgid "^"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:241
+#, no-wrap
+msgid "Audit neither successful nor failed events in this class."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:242
+#, no-wrap
+msgid "^+"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:244
+#, no-wrap
+msgid "Do not audit successful events in this class."
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:245
+#, no-wrap
+msgid "^-"
+msgstr ""
+
+#. type: Table
+#: documentation/content/en/books/handbook/audit/_index.adoc:246
+#, no-wrap
+msgid "Do not audit failed events in this class."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:249
+msgid ""
+"If no prefix is present, both successful and failed instances of the event "
+"will be audited."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:251
+msgid ""
+"The following example selection string selects both successful and failed "
+"login/logout events, but only successful execution events:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:255
+#, no-wrap
+msgid "lo,+ex\n"
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/audit/_index.adoc:257
+#, no-wrap
+msgid "Configuration Files"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:260
+msgid ""
+"The following configuration files for security event auditing are found in [."
+"filename]#/etc/security#:"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:262
+msgid ""
+"[.filename]#audit_class#: contains the definitions of the audit classes."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:263
+msgid ""
+"[.filename]#audit_control#: controls aspects of the audit subsystem, such as "
+"default audit classes, minimum disk space to leave on the audit log volume, "
+"and maximum audit trail size."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:264
+msgid ""
+"[.filename]#audit_event#: textual names and descriptions of system audit "
+"events and a list of which classes each event is in."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:265
+msgid ""
+"[.filename]#audit_user#: user-specific audit requirements to be combined "
+"with the global defaults at login."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:266
+msgid ""
+"[.filename]#audit_warn#: a customizable shell script used by man:auditd[8] "
+"to generate warning messages in exceptional situations, such as when space "
+"for audit records is running low or when the audit trail file has been "
+"rotated."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:270
+msgid ""
+"Audit configuration files should be edited and maintained carefully, as "
+"errors in configuration may result in improper logging of events."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:274
+msgid ""
+"In most cases, administrators will only need to modify [."
+"filename]#audit_control# and [.filename]#audit_user#. The first file "
+"controls system-wide audit properties and policies and the second file may "
+"be used to fine-tune auditing by user."
+msgstr ""
+
+#. type: Title ====
+#: documentation/content/en/books/handbook/audit/_index.adoc:276
+#, no-wrap
+msgid "The [.filename]#audit_control# File"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:279
+msgid ""
+"A number of defaults for the audit subsystem are specified in [."
+"filename]#audit_control#:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:290
+#, no-wrap
+msgid ""
+"dir:/var/audit\n"
+"dist:off\n"
+"flags:lo,aa\n"
+"minfree:5\n"
+"naflags:lo,aa\n"
+"policy:cnt,argv\n"
+"filesz:2M\n"
+"expire-after:10M\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:295
+msgid ""
+"The `dir` entry is used to set one or more directories where audit logs will "
+"be stored. If more than one directory entry appears, they will be used in "
+"order as they fill. It is common to configure audit so that audit logs are "
+"stored on a dedicated file system, in order to prevent interference between "
+"the audit subsystem and other subsystems if the file system fills."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:297
+msgid ""
+"If the `dist` field is set to `on` or `yes`, hard links will be created to "
+"all trail files in [.filename]#/var/audit/dist#."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:300
+msgid ""
+"The `flags` field sets the system-wide default preselection mask for "
+"attributable events. In the example above, successful and failed login/"
+"logout events as well as authentication and authorization are audited for "
+"all users."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:302
+msgid ""
+"The `minfree` entry defines the minimum percentage of free space for the "
+"file system where the audit trail is stored."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:304
+msgid ""
+"The `naflags` entry specifies audit classes to be audited for non-attributed "
+"events, such as the login/logout process and authentication and "
+"authorization."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:308
+msgid ""
+"The `policy` entry specifies a comma-separated list of policy flags "
+"controlling various aspects of audit behavior. The `cnt` indicates that the "
+"system should continue running despite an auditing failure (this flag is "
+"highly recommended). The other flag, `argv`, causes command line arguments "
+"to the man:execve[2] system call to be audited as part of command execution."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:312
+msgid ""
+"The `filesz` entry specifies the maximum size for an audit trail before "
+"automatically terminating and rotating the trail file. A value of `0` "
+"disables automatic log rotation. If the requested file size is below the "
+"minimum of 512k, it will be ignored and a log message will be generated."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:314
+msgid ""
+"The `expire-after` field specifies when audit log files will expire and be "
+"removed."
+msgstr ""
+
+#. type: Title ====
+#: documentation/content/en/books/handbook/audit/_index.adoc:316
+#, no-wrap
+msgid "The [.filename]#audit_user# File"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:320
+msgid ""
+"The administrator can specify further audit requirements for specific users "
+"in [.filename]#audit_user#. Each line configures auditing for a user via "
+"two fields: the `alwaysaudit` field specifies a set of events that should "
+"always be audited for the user, and the `neveraudit` field specifies a set "
+"of events that should never be audited for the user."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:323
+msgid ""
+"The following example entries audit login/logout events and successful "
+"command execution for `root` and file creation and successful command "
+"execution for `www`. If used with the default [.filename]#audit_control#, "
+"the `lo` entry for `root` is redundant, and login/logout events will also be "
+"audited for `www`."
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:328
+#, no-wrap
+msgid ""
+"root:lo,+ex:no\n"
+"www:fc,+ex:no\n"
+msgstr ""
+
+#. type: Title ==
+#: documentation/content/en/books/handbook/audit/_index.adoc:331
+#, no-wrap
+msgid "Working with Audit Trails"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:337
+msgid ""
+"Since audit trails are stored in the BSM binary format, several built-in "
+"tools are available to modify or convert these trails to text. To convert "
+"trail files to a simple text format, use `praudit`. To reduce the audit "
+"trail file for analysis, archiving, or printing purposes, use "
+"`auditreduce`. This utility supports a variety of selection parameters, "
+"including event type, event class, user, date or time of the event, and the "
+"file path or object acted on."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:339
+msgid ""
+"For example, to dump the entire contents of a specified audit log in plain "
+"text:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:343
+#, no-wrap
+msgid "# praudit /var/audit/AUDITFILE\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:346
+msgid "Where _AUDITFILE_ is the audit log to dump."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:350
+msgid ""
+"Audit trails consist of a series of audit records made up of tokens, which "
+"`praudit` prints sequentially, one per line. Each token is of a specific "
+"type, such as `header` (an audit record header) or `path` (a file path from "
+"a name lookup). The following is an example of an `execve` event:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:360
+#, no-wrap
+msgid ""
+"header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec\n"
+"exec arg,finger,doug\n"
+"path,/usr/bin/finger\n"
+"attribute,555,root,wheel,90,24918,104944\n"
+"subject,robert,root,wheel,root,wheel,38439,38032,42086,128.232.9.100\n"
+"return,success,0\n"
+"trailer,133\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:369
+msgid ""
+"This audit represents a successful `execve` call, in which the command "
+"`finger doug` has been run. The `exec arg` token contains the processed "
+"command line presented by the shell to the kernel. The `path` token holds "
+"the path to the executable as looked up by the kernel. The `attribute` "
+"token describes the binary and includes the file mode. The `subject` token "
+"stores the audit user ID, effective user ID and group ID, real user ID and "
+"group ID, process ID, session ID, port ID, and login address. Notice that "
+"the audit user ID and real user ID differ as the user `robert` switched to "
+"the `root` account before running this command, but it is audited using the "
+"original authenticated user. The `return` token indicates the successful "
+"execution and the `trailer` concludes the record."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:371
+msgid ""
+"XML output format is also supported and can be selected by including `-x`."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:374
+msgid ""
+"Since audit logs may be very large, a subset of records can be selected "
+"using `auditreduce`. This example selects all audit records produced for "
+"the user `trhodes` stored in [.filename]#AUDITFILE#:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:378
+#, no-wrap
+msgid "# auditreduce -u trhodes /var/audit/AUDITFILE | praudit\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:384
+msgid ""
+"Members of the `audit` group have permission to read audit trails in [."
+"filename]#/var/audit#. By default, this group is empty, so only the `root` "
+"user can read audit trails. Users may be added to the `audit` group in "
+"order to delegate audit review rights. As the ability to track audit log "
+"contents provides significant insight into the behavior of users and "
+"processes, it is recommended that the delegation of audit review rights be "
+"performed with caution."
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/audit/_index.adoc:385
+#, no-wrap
+msgid "Live Monitoring Using Audit Pipes"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:391
+msgid ""
+"Audit pipes are cloning pseudo-devices which allow applications to tap the "
+"live audit record stream. This is primarily of interest to authors of "
+"intrusion detection and system monitoring applications. However, the audit "
+"pipe device is a convenient way for the administrator to allow live "
+"monitoring without running into problems with audit trail file ownership or "
+"log rotation interrupting the event stream. To track the live audit event "
+"stream:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:395
+#, no-wrap
+msgid "# praudit /dev/auditpipe\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:399
+msgid ""
+"By default, audit pipe device nodes are accessible only to the `root` user. "
+"To make them accessible to the members of the `audit` group, add a `devfs` "
+"rule to [.filename]#/etc/devfs.rules#:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:403
+#, no-wrap
+msgid "add path 'auditpipe*' mode 0440 group audit\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:406
+msgid ""
+"See man:devfs.rules[5] for more information on configuring the devfs file "
+"system."
+msgstr ""
+
+#. type: delimited block = 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:412
+msgid ""
+"It is easy to produce audit event feedback cycles, in which the viewing of "
+"each audit event results in the generation of more audit events. For "
+"example, if all network I/O is audited, and `praudit` is run from an SSH "
+"session, a continuous stream of audit events will be generated at a high "
+"rate, as each event being printed will generate another event. For this "
+"reason, it is advisable to run `praudit` on an audit pipe device from "
+"sessions without fine-grained I/O auditing."
+msgstr ""
+
+#. type: Title ===
+#: documentation/content/en/books/handbook/audit/_index.adoc:414
+#, no-wrap
+msgid "Rotating and Compressing Audit Trail Files"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:421
+msgid ""
+"Audit trails are written to by the kernel and managed by the audit daemon, "
+"man:auditd[8]. Administrators should not attempt to use man:newsyslog."
+"conf[5] or other tools to directly rotate audit logs. Instead, `audit` "
+"should be used to shut down auditing, reconfigure the audit system, and "
+"perform log rotation. The following command causes the audit daemon to "
+"create a new audit log and signal the kernel to switch to using the new "
+"log. The old log will be terminated and renamed, at which point it may then "
+"be manipulated by the administrator:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:425
+#, no-wrap
+msgid "# audit -n\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:428
+msgid ""
+"If man:auditd[8] is not currently running, this command will fail and an "
+"error message will be produced."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:430
+msgid ""
+"Adding the following line to [.filename]#/etc/crontab# will schedule this "
+"rotation every twelve hours:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:434
+#, no-wrap
+msgid "0 */12 * * * root /usr/sbin/audit -n\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:437
+msgid "The change will take effect once [.filename]#/etc/crontab# is saved."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:439
+msgid ""
+"Automatic rotation of the audit trail file based on file size is possible "
+"using `filesz` in [.filename]#audit_control# as described in <<audit-"
+"auditcontrol>>."
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:443
+msgid ""
+"As audit trail files can become very large, it is often desirable to "
+"compress or otherwise archive trails once they have been closed by the audit "
+"daemon. The [.filename]#audit_warn# script can be used to perform "
+"customized operations for a variety of audit-related events, including the "
+"clean termination of audit trails when they are rotated. For example, the "
+"following may be added to [.filename]#/etc/security/audit_warn# to compress "
+"audit trails on close:"
+msgstr ""
+
+#. type: delimited block . 4
+#: documentation/content/en/books/handbook/audit/_index.adoc:452
+#, no-wrap
+msgid ""
+"#\n"
+"# Compress audit trail files on close.\n"
+"#\n"
+"if [ \"$1\" = closefile ]; then\n"
+" gzip -9 $2\n"
+"fi\n"
+msgstr ""
+
+#. type: Plain text
+#: documentation/content/en/books/handbook/audit/_index.adoc:456
+msgid ""
+"Other archiving activities might include copying trail files to a "
+"centralized server, deleting old trail files, or reducing the audit trail to "
+"remove unneeded records. This script will be run only when audit trail "
+"files are cleanly terminated. It will not be run on trails left "
+"unterminated following an improper shutdown."
+msgstr ""
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-27 03:57:05 +0000