English Chinese (Simplified) (zh_CN)
Part III. System Administration 第三部分 - 系统管理
Chapter 17. Security Event Auditing
Security Event Auditing 安全事件审计
Synopsis 简介
The FreeBSD operating system includes support for security event auditing. Event auditing supports reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access. These log records can be invaluable for live system monitoring, intrusion detection, and postmortem analysis. FreeBSD implements Sun(TM)'s published Basic Security Module (BSM) Application Programming Interface (API) and file format, and is interoperable with the Solaris(TM) and Mac OS(R) X audit implementations.
This chapter focuses on the installation and configuration of event auditing. It explains audit policies and provides an example audit configuration. 这一章的重点是安装和配置事件审计。 它介绍了事件策略, 并提供了一个审计的配置例子。
After reading this chapter, you will know: 读完本章节,你将会知道:
What event auditing is and how it works. 事件审计是什么, 以及它如何工作。
How to configure event auditing on FreeBSD for users and processes. 如何在 FreeBSD 上为用户和进程配置事件审计。
How to review the audit trail using the audit reduction and review tools. 如何使用审计记录摘要和复审工具来对审计记录进行复审。
Before reading this chapter, you should: 在阅读这个章节之前,您应当:
Understand UNIX(R) and FreeBSD basics (crossref:basics[basics,FreeBSD Basics]).
Be familiar with the basics of kernel configuration/compilation (crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]).
Have some familiarity with security and how it pertains to FreeBSD (crossref:security[security,Security]).
The audit facility has some known limitations. Not all security-relevant system events are auditable and some login mechanisms, such as Xorg-based display managers and third-party daemons, do not properly configure auditing for user login sessions. 审计机制中存在一些已知的限制,例如并不是所有与安全有关的系统事件都可以审计,另外某些登录机制,例如基于 <application>Xorg</application> 显示管理器,以及第三方服务的登录机制,都不会在用户的登录会话中正确配置审计。
The security event auditing facility is able to generate very detailed logs of system activity. On a busy system, trail file data can be very large when configured for high detail, exceeding gigabytes a week in some configurations. Administrators should take into account the disk space requirements associated with high volume audit configurations. For example, it may be desirable to dedicate a file system to [.filename]#/var/audit# so that other file systems are not affected if the audit file system becomes full. 安全审计机制能够对系统活动生成非常详细的记录信息。在繁忙的系统中,记帐数据如果配置不当会非常的大,并在一周内迅速超过几个 GB 的尺寸。管理员应考虑审计配置中的导致磁盘空间需求的这些问题。例如,可能需要为 <filename>/var/audit</filename> 目录单独分配一个文件系统, 以防止在审计日志所用的文件系统被填满时影响其它文件系统。
Key Terms 本章出现的重要术语
The following terms are related to security event auditing: 本章中的一些关键术语:
_event_: an auditable event is any event that can be logged using the audit subsystem. Examples of security-relevant events include the creation of a file, the building of a network connection, or a user logging in. Events are either "attributable", meaning that they can be traced to an authenticated user, or "non-attributable". Examples of non-attributable events are any events that occur before authentication in the login process, such as bad password attempts.
_class_: a named set of related events which are used in selection expressions. Commonly used classes of events include "file creation" (fc), "exec" (ex), and "login_logout" (lo).