The FreeBSD 7-CURRENT development branch includes support for Event Auditing based on the POSIX®.1e draft and Sun's published BSM API and file format. Event auditing permits the selective logging of security-relevant system events for the purposes of post-mortem analysis, system monitoring, and intrusion detection. After some settling time in FreeBSD 7-CURRENT, this support will be merged to FreeBSD 6-STABLE and appear in subsequent releases.
警告The audit facility in FreeBSD is considered experimental, and production deployment should occur only after careful consideration of the risks of deploying experimental software.
This chapter will focus mainly on the installation and configuration of Event Auditing. Explanation of audit policies, and an example configuration will be provided for the convenience of the reader.
After reading this chapter, you will know:
What Event Auditing is and how it works.
How to configure Event Auditing on FreeBSD for users and processes.
Before reading this chapter, you should:
Understand UNIX® and FreeBSD basics (µÚ 3 章).
Be familiar with the basics of kernel configuration/compilation (µÚ 8 章).
Have some familiarity with security and how it pertains to FreeBSD (µÚ 14 章).
警告Event auditing can generate a great deal of log file data, exceeding gigabytes a week in some configurations. An administrator should read this chapter in its entirety to avoid possible self-inflicted DoS attacks due to improper configuration.
The implementation of Event Auditing in FreeBSD is similar to that of the Sun™ Basic Security Module, or BSM library. Thus, the configuration is almost completely interchangeable with Solaris™ and Mac OS X/Darwin operating systems.
本文及其他文件,可由此下載:ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/。
若有 FreeBSD 方面疑問,請先閱讀 FreeBSD 相關文件,如不能解決的話,再洽詢
<questions@FreeBSD.org>。
關於本文件的問題,請洽詢 <doc@FreeBSD.org>。