diff options
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/audit/chapter.xml')
| -rw-r--r-- | en_US.ISO8859-1/books/handbook/audit/chapter.xml | 73 |
1 files changed, 31 insertions, 42 deletions
diff --git a/en_US.ISO8859-1/books/handbook/audit/chapter.xml b/en_US.ISO8859-1/books/handbook/audit/chapter.xml index e666e6a91e..ad51785f2a 100644 --- a/en_US.ISO8859-1/books/handbook/audit/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/audit/chapter.xml @@ -3,32 +3,23 @@ The FreeBSD Documentation Project $FreeBSD$ --> - <!-- Need more documentation on praudit, auditreduce, etc. Plus more info on the triggers from the kernel (log rotation, out of space, etc). And the /dev/audit special file if we choose to support that. Could use some coverage of integrating MAC with Event auditing and perhaps discussion on how some companies or organizations handle auditing and auditing requirements. --> - -<chapter id="audit"> - <chapterinfo> +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="audit"> + <info><title>Security Event Auditing</title> <authorgroup> - <author> - <firstname>Tom</firstname> - <surname>Rhodes</surname> - <contrib>Written by </contrib> - </author> - <author> - <firstname>Robert</firstname> - <surname>Watson</surname> - </author> + <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author> + <author><personname><firstname>Robert</firstname><surname>Watson</surname></personname></author> </authorgroup> - </chapterinfo> + </info> - <title>Security Event Auditing</title> + - <sect1 id="audit-synopsis"> + <sect1 xml:id="audit-synopsis"> <title>Synopsis</title> <indexterm><primary>AUDIT</primary></indexterm> @@ -104,13 +95,13 @@ requirements. --> Administrators should take into account disk space requirements associated with high volume audit configurations. For example, it may be desirable to dedicate a file system to - the <filename class="directory">/var/audit</filename> tree + the <filename>/var/audit</filename> tree so that other file systems are not affected if the audit file system becomes full.</para> </warning> </sect1> - <sect1 id="audit-inline-glossary"> + <sect1 xml:id="audit-inline-glossary"> <title>Key Terms in This Chapter</title> <para>Before reading this chapter, a few key audit-related terms @@ -187,7 +178,7 @@ requirements. --> </itemizedlist> </sect1> - <sect1 id="audit-install"> + <sect1 xml:id="audit-install"> <title>Installing Audit Support</title> <para>User space support for Event Auditing is installed as part @@ -199,8 +190,7 @@ requirements. --> <programlisting>options AUDIT</programlisting> <para>Rebuild and reinstall - the kernel via the normal process explained in <xref - linkend="kernelconfig"/>.</para> + the kernel via the normal process explained in <xref linkend="kernelconfig"/>.</para> <para>Once an audit-enabled kernel is built, installed, and the system has been rebooted, enable the audit daemon by adding the @@ -214,11 +204,11 @@ requirements. --> <programlisting>service auditd start</programlisting> </sect1> - <sect1 id="audit-config"> + <sect1 xml:id="audit-config"> <title>Audit Configuration</title> <para>All configuration files for security audit are found in - <filename class="directory">/etc/security</filename>. The + <filename>/etc/security</filename>. The following files must be present before the audit daemon is started:</para> @@ -456,7 +446,7 @@ requirements. --> The first controls system-wide audit properties and policies; the second may be used to fine-tune auditing by user.</para> - <sect3 id="audit-auditcontrol"> + <sect3 xml:id="audit-auditcontrol"> <title>The <filename>audit_control</filename> File</title> <para>A number of defaults for the audit subsystem are @@ -511,7 +501,7 @@ filesz:0</programlisting> generated.</para> </sect3> - <sect3 id="audit-audituser"> + <sect3 xml:id="audit-audituser"> <title>The <filename>audit_user</filename> File</title> <para>The administrator can specify further audit requirements @@ -525,13 +515,13 @@ filesz:0</programlisting> <para>The following example <filename>audit_user</filename> audits login/logout events and successful command - execution for <username>root</username>, and audits + execution for <systemitem class="username">root</systemitem>, and audits file creation and successful command execution for - <username>www</username>. If used with the above example + <systemitem class="username">www</systemitem>. If used with the above example <filename>audit_control</filename>, the - <literal>lo</literal> entry for <username>root</username> is + <literal>lo</literal> entry for <systemitem class="username">root</systemitem> is redundant, and login/logout events will also be audited for - <username>www</username>.</para> + <systemitem class="username">www</systemitem>.</para> <programlisting>root:lo,+ex:no www:fc,+ex:no</programlisting> @@ -539,7 +529,7 @@ www:fc,+ex:no</programlisting> </sect2> </sect1> - <sect1 id="audit-administration"> + <sect1 xml:id="audit-administration"> <title>Administering the Audit Subsystem</title> <sect2> @@ -561,7 +551,7 @@ www:fc,+ex:no</programlisting> <screen>&prompt.root; <userinput>praudit /var/audit/AUDITFILE</userinput></screen> <para>Where - <filename><replaceable>AUDITFILE</replaceable></filename> is + <filename>AUDITFILE</filename> is the audit log to dump.</para> <para>Audit trails consist of a series of audit records made up @@ -594,8 +584,8 @@ trailer,133</programlisting> user ID and group ID, real user ID and group ID, process ID, session ID, port ID, and login address. Notice that the audit user ID and real user ID differ: the user - <username>robert</username> has switched to the - <username>root</username> account before running this command, + <systemitem class="username">robert</systemitem> has switched to the + <systemitem class="username">root</systemitem> account before running this command, but it is audited using the original authenticated user. Finally, the <literal>return</literal> token indicates the successful execution, and the <literal>trailer</literal> @@ -616,19 +606,18 @@ trailer,133</programlisting> <screen>&prompt.root; <userinput>auditreduce -u trhodes /var/audit/AUDITFILE | praudit</userinput></screen> <para>This will select all audit records produced for - <username>trhodes</username> stored in - <filename><replaceable>AUDITFILE</replaceable></filename>.</para> + <systemitem class="username">trhodes</systemitem> stored in + <filename>AUDITFILE</filename>.</para> </sect2> <sect2> <title>Delegating Audit Review Rights</title> - <para>Members of the <groupname>audit</groupname> group are - given permission to read audit trails in <filename - class="directory">/var/audit</filename>; by default, this - group is empty, so only the <username>root</username> user + <para>Members of the <systemitem class="groupname">audit</systemitem> group are + given permission to read audit trails in <filename>/var/audit</filename>; by default, this + group is empty, so only the <systemitem class="username">root</systemitem> user may read audit trails. Users may be added to the - <groupname>audit</groupname> group in order to delegate audit + <systemitem class="groupname">audit</systemitem> group in order to delegate audit review rights to the user. As the ability to track audit log contents provides significant insight into the behavior of users and processes, it is recommended that the delegation of @@ -651,8 +640,8 @@ trailer,133</programlisting> <screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen> <para>By default, audit pipe device nodes are accessible only to - the <username>root</username> user. To make them accessible - to the members of the <groupname>audit</groupname> group, add + the <systemitem class="username">root</systemitem> user. To make them accessible + to the members of the <systemitem class="groupname">audit</systemitem> group, add a <literal>devfs</literal> rule to <filename>devfs.rules</filename>:</para> |