© 1995-2008 by The FreeBSD Project. All rights reserved.URL: http://www.FreeBSD.de
as 2007-08-21 04:10:03 UTC
FreeBSD ports repository
Modified files:
books/handbook/audit chapter.sgml
Log:
Original Audit-Kapitel eingefuegt auf das die Uebersetzung committet werden kann.
Revision Changes Path
1.3 +709 -20 de-docproj/books/handbook/audit/chapter.sgml
Index: chapter.sgml
===================================================================
RCS file: /home/cvs/de-docproj/books/handbook/audit/chapter.sgml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -I$FreeBSDde.*$ -r1.2 -r1.3
--- chapter.sgml 15 Feb 2006 09:51:27 -0000 1.2
+++ chapter.sgml 21 Aug 2007 04:10:02 -0000 1.3
@@ -3,29 +3,718 @@
The FreeBSD German Documentation Project
$FreeBSD$
- $FreeBSDde: de-docproj/books/handbook/audit/chapter.sgml,v 1.2 2006/02/15 09:51:27 brueffer Exp $
- basiert auf:
+ $FreeBSDde: de-docproj/books/handbook/audit/chapter.sgml,v 1.3 2007/08/21 04:10:02 as Exp $
+ basiert auf: 1.28
-->
+<!-- Need more documentation on praudit, auditreduce, etc. Plus more info
+on the triggers from the kernel (log rotation, out of space, etc).
+And the /dev/audit special file if we choose to support that. Could use
+some coverage of integrating MAC with Event auditing and perhaps discussion
+on how some companies or organizations handle auditing and auditing
+requirements. -->
+
<chapter id="audit">
+ <chapterinfo>
+ <authorgroup>
+ <author>
+ <firstname>Tom</firstname>
+ <surname>Rhodes</surname>
+ <contrib>Written by </contrib>
+ </author>
+ <author>
+ <firstname>Robert</firstname>
+ <surname>Watson</surname>
+ </author>
+ </authorgroup>
+ </chapterinfo>
- <title>Security Event Auditing (noch nicht übersetzt)</title>
+ <title>Security Event Auditing</title>
- <para>Dieses Kapitel ist noch nicht übersetzt.
- Lesen Sie bitte <ulink
- url="&url.books.handbook.en;/audit.html">
- das Original in englischer Sprache</ulink>. Wenn Sie helfen
- wollen, dieses Kapitel zu übersetzen, senden Sie bitte
- eine E-Mail an die Mailingliste &a.de.translators;.</para>
-</chapter>
+ <para>Dieses Kapitel befindet sich in der Übersetzung</para>
-<!--
- Local Variables:
- mode: sgml
- sgml-declaration: "../chapter.decl"
- sgml-indent-data: t
- sgml-omittag: nil
- sgml-always-quote-attributes: t
- sgml-parent-document: ("../book.sgml" "part" "chapter")
- End:
--->
+ <sect1 id="audit-synopsis">
+ <title>Synopsis</title>
+
+ <indexterm><primary>AUDIT</primary></indexterm>
+ <indexterm>
+ <primary>Security Event Auditing</primary>
+ <see>MAC</see>
+ </indexterm>
+
+ <para>FreeBSD 6.2-RELEASE and later include support for fine-grained
+ security event auditing. Event auditing allows the reliable,
+ fine-grained, and configurable logging of a variety of
+ security-relevant system events, including logins, configuration
+ changes, and file and network access. These log records can be
+ invaluable for live system monitoring, intrusion detection, and
+ postmortem analysis. &os; implements &sun;'s published
+ <acronym>BSM</acronym> API and file format, and is interoperable with
+ both &sun;'s &solaris; and &apple;'s &macos; X audit implementations.</para>
+
+ <para>This chapter focuses on the installation and configuration of
+ Event Auditing. It explains audit policies, and provides an example
+ audit configuration.</para>
+
+ <para>After reading this chapter, you will know:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>What Event Auditing is and how it works.</para>
+ </listitem>
+
+ <listitem>
+ <para>How to configure Event Auditing on &os; for users
+ and processes.</para>
+ </listitem>
+
+ <listitem>
+ <para>How to review the audit trail using the audit reduction and
+ review tools.</para>
+ </itemizedlist>
+
+ <para>Before reading this chapter, you should:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Understand &unix; and &os; basics
+ (<xref linkend="basics">).</para>
+ </listitem>
+
+ <listitem>
+ <para>Be familiar with the basics of kernel
+ configuration/compilation
+ (<xref linkend="kernelconfig">).</para>
+ </listitem>
+
+ <listitem>
+ <para>Have some familiarity with security and how it
+ pertains to &os; (<xref linkend="security">).</para>
+ </listitem>
+ </itemizedlist>
+
+ <warning>
+ <para>The audit facility in &os; 6.2 is experimental, and production
+ deployment should occur only after careful consideration of the
+ risks of deploying experimental software. Known limitations include
+ that not all security-relevant system events are currently auditable,
+ and that some login mechanisms, such as X11-based display managers
+ and third party daemons, do not properly configure auditing for user
+ login sessions.</para>
+ </warning>
+
+ <warning>
+ <para>The security event auditing facility is able to generate very
+ detailed logs of system activity: on a busy system, trail file
+ data can be very large when configured for high detail, exceeding
+ gigabytes a week in some configurations. Administrators should take
+ into account disk space requirements associated with high volume
+ audit configurations. For example, it may be desirable to dedicate
+ a file system to the <filename>/var/audit</filename> tree so that
+ other file systems are not affected if the audit file system becomes
+ full.</para>
+ </warning>
+
+ </sect1>
+
+ <sect1 id="audit-inline-glossary">
+ <title>Key Terms in this Chapter</title>
+
+ <para>Before reading this chapter, a few key audit-related terms must be
+ explained:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><emphasis>event</emphasis>: An auditable event is any event
+ that can be logged using the audit subsystem.
+ Examples of security-relevant events include the creation of
+ a file, the building of a network connection, or a user logging in.
+ Events are either <quote>attributable</quote>,
+ meaning that they can be traced to an authenticated user, or
+ <quote>non-attributable</quote> if they cannot be.
+ Examples of non-attributable events are any events that occur
+ before authentication in the login process, such as bad password
+ attempts.</para>
+ </listitem>
+
+ <listitem>
+ <para><emphasis>class</emphasis>: Event classes are named sets of
+ related events, and are used in selection expressions. Commonly
+ used classes of events include <quote>file creation</quote> (fc),
+ <quote>exec</quote> (ex) and <quote>login_logout</quote>
+ (lo).</para>
+ </listitem>
+
+ <listitem>
+ <para><emphasis>record</emphasis>: A record is an audit log entry
+ describing a security event. Records contain a record event type,
+ information on the subject (user) performing the action,
+ date and time information, information on any objects or
+ arguments, and a success or failure condition.</para>
+ </listitem>
+
+ <listitem>
+ <para><emphasis>trail</emphasis>: An audit trail, or log file,
+ consists of a series of audit records describing security
+ events. Typically, trails are in roughly chronological
+ order with respect to the time events completed. Only
+ authorized processes are allowed to commit records to the
+ audit trail.</para>
+ </listitem>
+
+ <listitem>
+ <para><emphasis>selection expression</emphasis>: A selection
+ expression is a string containing a list of prefixes and audit
+ event class names used to match events.</para>
+ </listitem>
+
+ <listitem>
+ <para><emphasis>preselection</emphasis>: The process by which the
+ system identifies which events are of interest to the administrator
----------------------------------------------
Diff block truncated. (Max lines = 200)
----------------------------------------------
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-cvs-doc" in the body of the message
Received on Tue 21 Aug 2007 - 06:12:04 CEST