English Chinese (Simplified) (zh_CN)
Chapter 17. Security Event Auditing
The FreeBSD operating system includes support for security event auditing. Event auditing supports reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access. These log records can be invaluable for live system monitoring, intrusion detection, and postmortem analysis. FreeBSD implements Sun(TM)'s published Basic Security Module (BSM) Application Programming Interface (API) and file format, and is interoperable with the Solaris(TM) and Mac OS(R) X audit implementations.
Understand UNIX(R) and FreeBSD basics (crossref:basics[basics,FreeBSD Basics]).
Be familiar with the basics of kernel configuration/compilation (crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]).
Have some familiarity with security and how it pertains to FreeBSD (crossref:security[security,Security]).
The audit facility has some known limitations. Not all security-relevant system events are auditable and some login mechanisms, such as Xorg-based display managers and third-party daemons, do not properly configure auditing for user login sessions. 审计机制中存在一些已知的限制,例如并不是所有与安全有关的系统事件都可以审计,另外某些登录机制,例如基于 <application>Xorg</application> 显示管理器,以及第三方服务的登录机制,都不会在用户的登录会话中正确配置审计。
The security event auditing facility is able to generate very detailed logs of system activity. On a busy system, trail file data can be very large when configured for high detail, exceeding gigabytes a week in some configurations. Administrators should take into account the disk space requirements associated with high volume audit configurations. For example, it may be desirable to dedicate a file system to [.filename]#/var/audit# so that other file systems are not affected if the audit file system becomes full. 安全审计机制能够对系统活动生成非常详细的记录信息。在繁忙的系统中,记帐数据如果配置不当会非常的大,并在一周内迅速超过几个 GB 的尺寸。管理员应考虑审计配置中的导致磁盘空间需求的这些问题。例如,可能需要为 <filename>/var/audit</filename> 目录单独分配一个文件系统, 以防止在审计日志所用的文件系统被填满时影响其它文件系统。
_event_: an auditable event is any event that can be logged using the audit subsystem. Examples of security-relevant events include the creation of a file, the building of a network connection, or a user logging in. Events are either "attributable", meaning that they can be traced to an authenticated user, or "non-attributable". Examples of non-attributable events are any events that occur before authentication in the login process, such as bad password attempts.
_class_: a named set of related events which are used in selection expressions. Commonly used classes of events include "file creation" (fc), "exec" (ex), and "login_logout" (lo).
_record_: an audit log entry describing a security event. Records contain a record event type, information on the subject (user) performing the action, date and time information, information on any objects or arguments, and a success or failure condition.
_trail_: a log file consisting of a series of audit records describing security events. Trails are in roughly chronological order with respect to the time events completed. Only authorized processes are allowed to commit records to the audit trail. <emphasis>账目 (trail)</emphasis>:审计账目,或日志文件,包含了一系列描述安全事件的审计记录。典型情况下,审计账目基本上是以事件发生的时间顺序记录的。只有获得授权的进程,才能够向审计账目中提交记录。
_selection expression_: a string containing a list of prefixes and audit event class names used to match events.
_preselection_: the process by which the system identifies which events are of interest to the administrator. The preselection configuration uses a series of selection expressions to identify which classes of events to audit for which users, as well as global settings that apply to both authenticated and unauthenticated processes. <emphasis>预选 (preselection)</emphasis>:系统通过这一过程来识别事件是否是管理员所感兴趣的,从而避免为他们不感兴趣的事件生成记录。 预选配置使用一系列选择表达式,用以识别事件类别、 要审计的用户,以及适用于验证过用户身份,以及未验证用户身份的进程的全局配置。
_reduction_: the process by which records from existing audit trails are selected for preservation, printing, or analysis. Likewise, the process by which undesired audit records are removed from the audit trail. Using reduction, administrators can implement policies for the preservation of audit data. For example, detailed audit trails might be kept for one month, but after that, trails might be reduced in order to preserve only login information for archival purposes. <emphasis>浓缩 (reduction)</emphasis>:从现有的审计记帐中筛选出用于保留、打印或分析的过程。 除此之外,它也表示从审计记帐中删去不需要的审计记录的过程。 通过使用浓缩操作,管理员可以实现预留审计数据的策略。 例如,详细的审计记帐信息,可能会保留一个月之久,但在这之后,则对这些记帐信息执行浓缩操作,只保留登录信息用于存档。
User space support for event auditing is installed as part of the base FreeBSD operating system. Kernel support is available in the [.filename]#GENERIC# kernel by default, and man:auditd[8] can be enabled by adding the following line to [.filename]#/etc/rc.conf#:
# service auditd start
options AUDIT
options AUDIT
<<event-selection>> summarizes the default audit event classes:
| Class Name
| Description
| Action

|Match all event classes.

|authentication and authorization

|Administrative actions performed on the system as a whole.

|Application defined action.

|file close
|Audit calls to the `close` system call.

|Audit program execution. Auditing of command line arguments and environmental variables is controlled via man:audit_control[5] using the `argv` and `envv` parameters to the `policy` setting.

|file attribute access
|Audit the access of object attributes such as man:stat[1] and man:pathconf[2].

|file create
|Audit events where a file is created as a result.

|file delete
|Audit events where file deletion occurs.

|file attribute modify
|Audit events where file attribute modification occurs, such as by man:chown[8], man:chflags[1], and man:flock[2].

|file read
|Audit events in which data is read or files are opened for reading.

|file write
|Audit events in which data is written or files are written or modified.

|Audit use of the `ioctl` system call.

|Audit various forms of Inter-Process Communication, including POSIX pipes and System V IPC operations.

|Audit man:login[1] and man:logout[1] events.

|non attributable
|Audit non-attributable events.

|invalid class
|Match no audit events.

|Audit events related to network actions such as man:connect[2] and man:accept[2].

|Audit miscellaneous events.

|Audit process operations such as man:exec[3] and man:exit[3].