Before reading this chapter, a few key terms must be explained. This is intended to clear up any confusion that may occur and to avoid the abrupt introduction of new terms and information.
event: An auditable event is an event that can be logged using the audit subsystem. The administrator can configure which events will be audited. Examples of security-relevant events include the creation of a file, the building of a network connection, or the logging in of a user. Events are either “attributable”, meaning that they can be traced back to a user authentication, or “non-attributable”. Examples of non-attributable events are any events that occur before authentication has succeeded in the login process, such as failed authentication attempts.
class: Events may be assigned to one or more classes, usually based on the general category of the events, such as “file creation”, “file access”, or “network”. Login and logout events are assigned to the lo class. The use of classes allows the administrator to specify high level auditing rules without having to specify whether each individual auditable operation will be logged.
record: A record is a log entry describing a security event. Records typically have a record event type, information on the subject (user) associated with the event, time information, information on any objects, such as files, and information on whether the event corresponded to a successful operation.
trail: An audit trail, or log file, consists of a series of audit records describing security events. Typically, trails are in roughly chronological order with respect to the time events completed. Only authorized processes are allowed to commit records to the audit trail.
prefix: A prefix is considered to be the configuration element used to toggle auditing for success and failed events.
本文及其他文件,可由此下載:ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/。
若有 FreeBSD 方面疑問,請先閱讀 FreeBSD 相關文件,如不能解決的話,再洽詢
<questions@FreeBSD.org>。
關於本文件的問題,請洽詢 <doc@FreeBSD.org>。