English Chinese (Simplified) (zh_CN)
The audit facility has some known limitations. Not all security-relevant system events are auditable and some login mechanisms, such as Xorg-based display managers and third-party daemons, do not properly configure auditing for user login sessions. 审计机制中存在一些已知的限制,例如并不是所有与安全有关的系统事件都可以审计,另外某些登录机制,例如基于 <application>Xorg</application> 显示管理器,以及第三方服务的登录机制,都不会在用户的登录会话中正确配置审计。
The security event auditing facility is able to generate very detailed logs of system activity. On a busy system, trail file data can be very large when configured for high detail, exceeding gigabytes a week in some configurations. Administrators should take into account the disk space requirements associated with high volume audit configurations. For example, it may be desirable to dedicate a file system to [.filename]#/var/audit# so that other file systems are not affected if the audit file system becomes full. 安全审计机制能够对系统活动生成非常详细的记录信息。在繁忙的系统中,记帐数据如果配置不当会非常的大,并在一周内迅速超过几个 GB 的尺寸。管理员应考虑审计配置中的导致磁盘空间需求的这些问题。例如,可能需要为 <filename>/var/audit</filename> 目录单独分配一个文件系统, 以防止在审计日志所用的文件系统被填满时影响其它文件系统。
_trail_: a log file consisting of a series of audit records describing security events. Trails are in roughly chronological order with respect to the time events completed. Only authorized processes are allowed to commit records to the audit trail. <emphasis>账目 (trail)</emphasis>:审计账目,或日志文件,包含了一系列描述安全事件的审计记录。典型情况下,审计账目基本上是以事件发生的时间顺序记录的。只有获得授权的进程,才能够向审计账目中提交记录。
_preselection_: the process by which the system identifies which events are of interest to the administrator. The preselection configuration uses a series of selection expressions to identify which classes of events to audit for which users, as well as global settings that apply to both authenticated and unauthenticated processes. <emphasis>预选 (preselection)</emphasis>:系统通过这一过程来识别事件是否是管理员所感兴趣的,从而避免为他们不感兴趣的事件生成记录。 预选配置使用一系列选择表达式,用以识别事件类别、 要审计的用户,以及适用于验证过用户身份,以及未验证用户身份的进程的全局配置。
_reduction_: the process by which records from existing audit trails are selected for preservation, printing, or analysis. Likewise, the process by which undesired audit records are removed from the audit trail. Using reduction, administrators can implement policies for the preservation of audit data. For example, detailed audit trails might be kept for one month, but after that, trails might be reduced in order to preserve only login information for archival purposes. <emphasis>浓缩 (reduction)</emphasis>:从现有的审计记帐中筛选出用于保留、打印或分析的过程。 除此之外,它也表示从审计记帐中删去不需要的审计记录的过程。 通过使用浓缩操作,管理员可以实现预留审计数据的策略。 例如,详细的审计记帐信息,可能会保留一个月之久,但在这之后,则对这些记帐信息执行浓缩操作,只保留登录信息用于存档。
auditd_enable="YES"
auditd_enable="YES"
options AUDIT
options AUDIT
These audit event classes may be customized by modifying the [.filename]#audit_class# and [.filename]#audit_event# configuration files. 这些审计事件, 可以通过修改 <filename>audit_class</filename> 和 <filename>audit_event</filename> 这两个配置文件来进行定制。
lo,+ex
lo,+ex
The following configuration files for security event auditing are found in [.filename]#/etc/security#: 所有用于安全审计的配置文件,都放在 <filename>/etc/security</filename>:
[.filename]#audit_class#: contains the definitions of the audit classes. <filename>audit_class</filename> - 包含对于审计类的定义。
[.filename]#audit_control#: controls aspects of the audit subsystem, such as default audit classes, minimum disk space to leave on the audit log volume, and maximum audit trail size. <filename>audit_control</filename> - 控制审计子系统的特性, 例如默认审计类、 在审计日志所在的卷上保留的最小空间、 审计日志的最大尺寸, 等等。
[.filename]#audit_event#: textual names and descriptions of system audit events and a list of which classes each event is in. <filename>audit_event</filename> - 文字化的系统审计事件名称和描述, 以及每个事件属于哪个类别。
[.filename]#audit_user#: user-specific audit requirements to be combined with the global defaults at login. <filename>audit_user</filename> - 针对特定用户的审计需求, 这些配置在登录时会与全局的默认值合并。
In most cases, administrators will only need to modify [.filename]#audit_control# and [.filename]#audit_user#. The first file controls system-wide audit properties and policies and the second file may be used to fine-tune auditing by user. 多数情况下, 在配置审计系统时, 管理员只需修改两个文件: <filename>audit_control</filename> 和 <filename>audit_user</filename>。 前者控制系统级的审计属性和策略, 而后者则用于针对具体的用户来微调。
A number of defaults for the audit subsystem are specified in [.filename]#audit_control#: <filename>audit_control</filename> 文件指定了一系列用于审计子系统的默认设置。 通过查看这个文件, 我们可以看到下面的内容:
dir:/var/audit
dist:off
flags:lo,aa
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
dir:/var/audit
dist:off
flags:lo,aa
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
The `dir` entry is used to set one or more directories where audit logs will be stored. If more than one directory entry appears, they will be used in order as they fill. It is common to configure audit so that audit logs are stored on a dedicated file system, in order to prevent interference between the audit subsystem and other subsystems if the file system fills. 这里的 <option>dir</option> 选项可以用来设置用于保存审计日志的一个或多个目录。 如果指定了多个目录, 则将在填满一个之后换用下一个。 一般而言, 审计通常都会配置为保存在一个专用的文件系统之下, 以避免审计系统与其它子系统在文件系统满的时候所产生的冲突。
The `flags` field sets the system-wide default preselection mask for attributable events. In the example above, successful and failed login/logout events as well as authentication and authorization are audited for all users. <option>flags</option> 字段用于为有主事件配置系统级的预选条件。 在前面的例子中, 所有用户成功和失败的登录和注销都会被审计。
The `naflags` entry specifies audit classes to be audited for non-attributed events, such as the login/logout process and authentication and authorization. <option>naflags</option> 选项表示审计类审计无主事件, 例如作为登录进程和系统服务的那些进程的事件。