aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books/handbook/audit/chapter.xml
diff options
context:
space:
mode:
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/audit/chapter.xml')
-rw-r--r--en_US.ISO8859-1/books/handbook/audit/chapter.xml172
1 files changed, 83 insertions, 89 deletions
diff --git a/en_US.ISO8859-1/books/handbook/audit/chapter.xml b/en_US.ISO8859-1/books/handbook/audit/chapter.xml
index 5d5540e5f6..e666e6a91e 100644
--- a/en_US.ISO8859-1/books/handbook/audit/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/audit/chapter.xml
@@ -60,8 +60,8 @@ requirements. -->
</listitem>
<listitem>
- <para>How to configure Event Auditing on &os; for users
- and processes.</para>
+ <para>How to configure Event Auditing on &os; for users and
+ processes.</para>
</listitem>
<listitem>
@@ -85,8 +85,8 @@ requirements. -->
</listitem>
<listitem>
- <para>Have some familiarity with security and how it
- pertains to &os; (<xref linkend="security"/>).</para>
+ <para>Have some familiarity with security and how it pertains
+ to &os; (<xref linkend="security"/>).</para>
</listitem>
</itemizedlist>
@@ -104,9 +104,9 @@ requirements. -->
Administrators should take into account disk space
requirements associated with high volume audit configurations.
For example, it may be desirable to dedicate a file system to
- the <filename class="directory">/var/audit</filename> tree so that other file
- systems are not affected if the audit file system becomes
- full.</para>
+ the <filename class="directory">/var/audit</filename> tree
+ so that other file systems are not affected if the audit file
+ system becomes full.</para>
</warning>
</sect1>
@@ -133,9 +133,9 @@ requirements. -->
<listitem>
<para><emphasis>class</emphasis>: Event classes are named sets
of related events, and are used in selection expressions.
- Commonly used classes of events include
- <quote>file creation</quote> (fc), <quote>exec</quote> (ex)
- and <quote>login_logout</quote> (lo).</para>
+ Commonly used classes of events include <quote>file
+ creation</quote> (fc), <quote>exec</quote> (ex) and
+ <quote>login_logout</quote> (lo).</para>
</listitem>
<listitem>
@@ -199,8 +199,8 @@ requirements. -->
<programlisting>options AUDIT</programlisting>
<para>Rebuild and reinstall
- the kernel via the normal process explained in
- <xref linkend="kernelconfig"/>.</para>
+ the kernel via the normal process explained in <xref
+ linkend="kernelconfig"/>.</para>
<para>Once an audit-enabled kernel is built, installed, and the
system has been rebooted, enable the audit daemon by adding the
@@ -249,10 +249,10 @@ requirements. -->
<listitem>
<para><filename>audit_warn</filename> - A customizable shell
- script used by <application>auditd</application> to generate
- warning messages in exceptional situations, such as when
- space for audit records is running low or when the audit
- trail file has been rotated.</para>
+ script used by &man.auditd.8; to generate warning messages
+ in exceptional situations, such as when space for audit
+ records is running low or when the audit trail file has
+ been rotated.</para>
</listitem>
</itemizedlist>
@@ -400,8 +400,8 @@ requirements. -->
</itemizedlist>
<para>These audit event classes may be customized by modifying
- the <filename>audit_class</filename> and
- <filename>audit_event</filename> configuration files.</para>
+ the <filename>audit_class</filename> and <filename>audit_
+ event</filename> configuration files.</para>
<para>Each audit class in the list is combined with a prefix
indicating whether successful/failed operations are matched,
@@ -451,18 +451,16 @@ requirements. -->
<title>Configuration Files</title>
<para>In most cases, administrators will need to modify only two
- files when configuring the audit system:
- <filename>audit_control</filename> and
- <filename>audit_user</filename>. The first controls
- system-wide audit properties and policies; the second may be
- used to fine-tune auditing by user.</para>
+ files when configuring the audit system: <filename>audit_
+ control</filename> and <filename>audit_user</filename>.
+ The first controls system-wide audit properties and policies;
+ the second may be used to fine-tune auditing by user.</para>
<sect3 id="audit-auditcontrol">
<title>The <filename>audit_control</filename> File</title>
- <para>The <filename>audit_control</filename> file specifies a
- number of defaults for the audit subsystem. Viewing the
- contents of this file, we see the following:</para>
+ <para>A number of defaults for the audit subsystem are
+ specified in <filename>audit_control</filename>:</para>
<programlisting>dir:/var/audit
flags:lo
@@ -471,7 +469,7 @@ naflags:lo
policy:cnt
filesz:0</programlisting>
- <para>The <option>dir</option> option is used to set one or
+ <para>The <option>dir</option> entry is used to set one or
more directories where audit logs will be stored. If more
than one directory entry appears, they will be used in order
as they fill. It is common to configure audit so that audit
@@ -484,17 +482,17 @@ filesz:0</programlisting>
example above, successful and failed login and logout events
are audited for all users.</para>
- <para>The <option>minfree</option> option defines the minimum
+ <para>The <option>minfree</option> entry defines the minimum
percentage of free space for the file system where the audit
trail is stored. When this threshold is exceeded, a warning
will be generated. The above example sets the minimum free
space to twenty percent.</para>
- <para>The <option>naflags</option> option specifies audit
- classes to be audited for non-attributed events, such as the
- login process and system daemons.</para>
+ <para>The <option>naflags</option> entry specifies audit classes
+ to be audited for non-attributed events, such as the login
+ process and system daemons.</para>
- <para>The <option>policy</option> option specifies a
+ <para>The <option>policy</option> entry specifies a
comma-separated list of policy flags controlling various
aspects of audit behavior. The default
<literal>cnt</literal> flag indicates that the system should
@@ -504,7 +502,7 @@ filesz:0</programlisting>
to the &man.execve.2; system call to be audited as part of
command execution.</para>
- <para>The <option>filesz</option> option specifies the maximum
+ <para>The <option>filesz</option> entry specifies the maximum
size in bytes to allow an audit trail file to grow to before
automatically terminating and rotating the trail file. The
default, 0, disables automatic log rotation. If the
@@ -516,25 +514,24 @@ filesz:0</programlisting>
<sect3 id="audit-audituser">
<title>The <filename>audit_user</filename> File</title>
- <para>The <filename>audit_user</filename> file permits the
- administrator to specify further audit requirements for
- specific users. Each line configures auditing for a user
- via two fields: the first is the
- <literal>alwaysaudit</literal> field, which specifies a set
- of events that should always be audited for the user, and
- the second is the <literal>neveraudit</literal> field, which
- specifies a set of events that should never be audited for
- the user.</para>
+ <para>The administrator can specify further audit requirements
+ for specific users in <filename>audit_user</filename>.
+ Each line configures auditing for a user via two fields:
+ the first is the <literal>alwaysaudit</literal> field,
+ which specifies a set of events that should always be
+ audited for the user, and the second is the
+ <literal>neveraudit</literal> field, which specifies a set
+ of events that should never be audited for the user.</para>
<para>The following example <filename>audit_user</filename>
- file audits login/logout events and successful command
- execution for the <username>root</username> user, and audits
- file creation and successful command execution for the
- <username>www</username> user. If used with the example
- <filename>audit_control</filename> file above, the
+ audits login/logout events and successful command
+ execution for <username>root</username>, and audits
+ file creation and successful command execution for
+ <username>www</username>. If used with the above example
+ <filename>audit_control</filename>, the
<literal>lo</literal> entry for <username>root</username> is
redundant, and login/logout events will also be audited for
- the <username>www</username> user.</para>
+ <username>www</username>.</para>
<programlisting>root:lo,+ex:no
www:fc,+ex:no</programlisting>
@@ -553,14 +550,13 @@ www:fc,+ex:no</programlisting>
&man.praudit.1; command converts trail files to a simple text
format; the &man.auditreduce.1; command may be used to reduce
the audit trail file for analysis, archiving, or printing
- purposes. <command>auditreduce</command> supports a variety
- of selection parameters, including event type, event class,
+ purposes. A variety of selection parameters are supported by
+ &man.auditreduce.1;, including event type, event class,
user, date or time of the event, and the file path or object
acted on.</para>
- <para>For example, the <command>praudit</command> utility will
- dump the entire contents of a specified audit log in plain
- text:</para>
+ <para>For example, &man.praudit.1; will dump the entire
+ contents of a specified audit log in plain text:</para>
<screen>&prompt.root; <userinput>praudit /var/audit/AUDITFILE</userinput></screen>
@@ -569,11 +565,11 @@ www:fc,+ex:no</programlisting>
the audit log to dump.</para>
<para>Audit trails consist of a series of audit records made up
- of tokens, which <command>praudit</command> prints
- sequentially one per line. Each token is of a specific type,
- such as <literal>header</literal> holding an audit record
- header, or <literal>path</literal> holding a file path from a
- name lookup. The following is an example of an
+ of tokens, which &man.praudit.1; prints sequentially one per
+ line. Each token is of a specific type, such as
+ <literal>header</literal> holding an audit record header, or
+ <literal>path</literal> holding a file path from a name
+ lookup. The following is an example of an
<literal>execve</literal> event:</para>
<programlisting>header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
@@ -605,9 +601,9 @@ trailer,133</programlisting>
successful execution, and the <literal>trailer</literal>
concludes the record.</para>
- <para><command>praudit</command> also supports
- an XML output format, which can be selected using the
- <option>-x</option> argument.</para>
+ <para><acronym>XML</acronym> output format is also supported by
+ &man.praudit.1;, and can be selected using
+ <option>-x</option>.</para>
</sect2>
<sect2>
@@ -619,20 +615,19 @@ trailer,133</programlisting>
<screen>&prompt.root; <userinput>auditreduce -u trhodes /var/audit/AUDITFILE | praudit</userinput></screen>
- <para>This will select all audit records produced for the user
- <username>trhodes</username> stored in the
- <filename><replaceable>AUDITFILE</replaceable></filename>
- file.</para>
+ <para>This will select all audit records produced for
+ <username>trhodes</username> stored in
+ <filename><replaceable>AUDITFILE</replaceable></filename>.</para>
</sect2>
<sect2>
<title>Delegating Audit Review Rights</title>
<para>Members of the <groupname>audit</groupname> group are
- given permission to read audit trails in
- <filename class="directory">/var/audit</filename>; by default, this group is
- empty, so only the <username>root</username> user may read
- audit trails. Users may be added to the
+ given permission to read audit trails in <filename
+ class="directory">/var/audit</filename>; by default, this
+ group is empty, so only the <username>root</username> user
+ may read audit trails. Users may be added to the
<groupname>audit</groupname> group in order to delegate audit
review rights to the user. As the ability to track audit log
contents provides significant insight into the behavior of
@@ -674,9 +669,9 @@ trailer,133</programlisting>
SSH session, then a continuous stream of audit events will
be generated at a high rate, as each event being printed
will generate another event. It is advisable to run
- <command>praudit</command> on an audit pipe device from
- sessions without fine-grained I/O auditing in order to avoid
- this happening.</para>
+ &man.praudit.1; on an audit pipe device from sessions
+ without fine-grained I/O auditing in order to avoid this
+ happening.</para>
</warning>
</sect2>
@@ -684,24 +679,23 @@ trailer,133</programlisting>
<title>Rotating Audit Trail Files</title>
<para>Audit trails are written to only by the kernel, and
- managed only by the audit daemon,
- <application>auditd</application>. Administrators should not
- attempt to use &man.newsyslog.conf.5; or other tools to
- directly rotate audit logs. Instead, the
- <command>audit</command> management tool may be used to shut
- down auditing, reconfigure the audit system, and perform log
- rotation. The following command causes the audit daemon to
- create a new audit log and signal the kernel to switch to
- using the new log. The old log will be terminated and
- renamed, at which point it may then be manipulated by the
- administrator.</para>
+ managed only by the audit daemon, &man.auditd.8;.
+ Administrators should not attempt to use
+ &man.newsyslog.conf.5; or other tools to directly rotate
+ audit logs. Instead, the &man.audit.8; management tool may
+ be used to shut down auditing, reconfigure the audit system,
+ and perform log rotation. The following command causes the
+ audit daemon to create a new audit log and signal the kernel
+ to switch to using the new log. The old log will be
+ terminated and renamed, at which point it may then be
+ manipulated by the administrator.</para>
<screen>&prompt.root; <userinput>audit -n</userinput></screen>
<warning>
- <para>If the <application>auditd</application> daemon is not
- currently running, this command will fail and an error
- message will be produced.</para>
+ <para>If &man.auditd.8; is not currently running, this
+ command will fail and an error message will be
+ produced.</para>
</warning>
<para>Adding the following line to
@@ -710,11 +704,11 @@ trailer,133</programlisting>
<programlisting>0 */12 * * * root /usr/sbin/audit -n</programlisting>
- <para>The change will take effect once you have saved the
- new <filename>/etc/crontab</filename>.</para>
+ <para>The change will take effect once you have saved the new
+ <filename>/etc/crontab</filename>.</para>
<para>Automatic rotation of the audit trail file based on file
- size is possible via the <option>filesz</option> option in
+ size is possible using <option>filesz</option> in
&man.audit.control.5;, and is described in the configuration
files section of this chapter.</para>
</sect2>