All configuration files for security audit are found in /etc/security. The following files must be present before the audit daemon is started:
audit_class - Contains the definitions of the audit classes.
audit_control - Controls aspects of the audit subsystem, such as default audit classes, minimum disk space to leave on the audit log volume, etc.
audit_event - Defines the kernel audit events. These map, mostly, to system calls.
audit_user - The events to audit for individual users. Users not appearing here will be subject to the default configuration in the control configuration file.
audit_warn - A shell script used by auditd to generate warning messages in exceptional situations, such as when space for audit records is running low.
The configuration file syntax is rather arcane, albeit easy to work with. One thing an administrator must be leery about is overriding system defaults. This could create potential openings for audit data to not be collected properly.
The audit subsystem will accept both the short name and long name with regards to configuration syntax. A syntax map has been included below.
The following list contains all supported audit classes:
all - all - All audit flags
set.
ad - administrative -
Administrative actions performed on the system as a whole.
ap - application -
Application defined action.
cl - file_close - Audit
calls to the close system call.
ex - exec - Audit program
or utility execution.
fa - file_attr_acc - Audit
the access of object attributes such as stat(1), pathconf(2) and
similar events.
fc - file_creation - Audit
events where a file is created as a result.
fd - file_deletion - Audit
events where file deletion occurs.
fm - file_attr_mod - Audit
events where file attribute modification occurs, such as chown(8), chflags(1), flock(2),
etc.
fr - file_read - Audit
events in which data is read, files are opened for reading, etc.
fw - file_write - Audit
events in which data is written, files are written or modified, etc.
io - ioctl - Audit use of
the ioctl(2) system
call.
ip - ipc - Audit various
forms of Inter-Process Communication, including POSIX pipes and System V IPC operations.
lo - login_logout - Audit
login(1) and logout(1) events
occurring on the system.
na - non_attrib - Audit
non-attributable events.
no - no_class - Null class
used to disable event auditing.
nt - network - Audit events
related to network actions, such as connect(2) and accept(2).
ot - other - Audit
miscellaneous events.
pc - process - Audit
process operations, such as exec(3) and exit(3).
Following is a list of all supported audit prefixes:
none - Audit both the success or failure of an event. For example, just listing a class will result in the auditing of both success and failure.
+ - Audit successful events only.
- - Audit failed events only.
警告Using the
allclass with either the positive or negative prefix can generate a large amount of data at an extremely rapid rate.
Extra prefixes used to modify the default configuration values:
^- - Disable auditing of failed events.
^+ - Enable auditing of successful events.
^ - Disable auditing of both successful and failed events.
In most cases, administrators will need to modify only two files when configuring the audit system: audit_control and audit_user. The first controls system-wide audit paramaters and defaults for both attributable and non-attributable events. The second may be used to tune the level and nature of auditing for individual users.
The audit_control file contains some basic defaults that the administrator may wish to modify. Perhaps even set some new ones. Viewing the contents of this file, we see the following:
dir:/var/audit flags:lo minfree:20 naflags:lo
The dir option is used to set the default directory
where audit logs are stored. Audit is frequently configured so that audit logs are
stored on a dedicated file system, so as to prevent interference between the audit
subsystem and other subsystems when file systems become full.
The flags option is used to set the system-wide
defaults. The current setting, lo configures the
auditing of all login(1) and logout(1)
actions. A more complex example, lo,ad,-all,^-fa,^-fc,^-cl audits all system login(1) and logout(1) actions, all
administrator actions, all failed events in the system, and finally disables
auditing of failed attempts for fa, fc, and cl. Even though the -all turned on the auditing of all failed attempts, the ^- prefix will override that for the latter options.
Notice that the previous paragraph shows the file is read from left to right. As such, values further on the right side may override a previous value specified to its left.
The minfree option defines the minimum percentage of
free space for audit file systems. This relates to the file system where audit logs
are stored. For example, if the dir specifies /var/audit and minfree is set to
twenty (20), warning messages will be generated when the /var file system grows to eighty (80) percent full.
The naflags option specifies audit classes to be
audited for non-attributed events —— that is, events for which there is no
authenticated user.
The audit_user file permits the administrator to determine which classes of audit events should be logged for which system users.
The following is the defaults currently placed in the audit_user file:
root:lo:no audit:fc:no
Notice how the default is to audit all cases of login/logout and disable auditing of all other actions for root. This configuration also audits all file creation and disables all other auditing for the audit user. While event auditing does not require a special user exist, some configurations, specifically environments making use of MAC, may require it.
本文及其他文件,可由此下載:ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/。
若有 FreeBSD 方面疑問,請先閱讀 FreeBSD 相關文件,如不能解決的話,再洽詢
<questions@FreeBSD.org>。
關於本文件的問題,請洽詢 <doc@FreeBSD.org>。