English Chinese (Simplified) (zh_CN)
Part III. System Administration 第三部分 - 系统管理
Security Event Auditing 安全事件审计
Synopsis 简介
This chapter focuses on the installation and configuration of event auditing. It explains audit policies and provides an example audit configuration. 这一章的重点是安装和配置事件审计。 它介绍了事件策略, 并提供了一个审计的配置例子。
After reading this chapter, you will know: 读完本章节,你将会知道:
What event auditing is and how it works. 事件审计是什么, 以及它如何工作。
How to configure event auditing on FreeBSD for users and processes. 如何在 FreeBSD 上为用户和进程配置事件审计。
How to review the audit trail using the audit reduction and review tools. 如何使用审计记录摘要和复审工具来对审计记录进行复审。
Before reading this chapter, you should: 在阅读这个章节之前,您应当:
Key Terms 本章出现的重要术语
The following terms are related to security event auditing: 本章中的一些关键术语:
Audit Configuration 对审计进行配置
Then, start the audit daemon: 在后台启动审计程序:
Users who prefer to compile a custom kernel must include the following line in their custom kernel configuration file: 如果您使用的是定制内核, 就必须在内核配置文件中明确指定希望添加这一支持:
Event Selection Expressions 事件筛选表达式
Selection expressions are used in a number of places in the audit configuration to determine which events should be audited. Expressions contain a list of event classes to match. Selection expressions are evaluated from left to right, and two expressions are combined by appending one onto the other. 在审计配置文件中的许多地方会用到筛选表达式来确定哪些事件是需要审计的。 表达式中需要指定要匹配的事件类型, 并使用前缀指定是否应接受或忽略匹配的事件, 此外, 还可以指定一个可选项指明匹配成功或失败的操作。 选择表达式是按从左到右的顺序计算的, 而对于两个表达式的情形, 则是通过将后一个追加到前一个之后来实现的。
Default Audit Event Classes 默认审计类别
Prefixes for Audit Event Classes 审计类的前缀
If no prefix is present, both successful and failed instances of the event will be audited. 如果不存在前缀,则将审核事件的成功实例和失败实例。
The following example selection string selects both successful and failed login/logout events, but only successful execution events: 下面例子中的筛选字符串表示筛选成功和失败的登录/注销事件, 而对执行事件, 则只审计成功的: