Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   auditd.conf    ( 5 )

файл конфигурации демона аудита (audit daemon configuration file)

  Name  |  Description  |    Note    |  Files  |  See also  |

Примечание (Note)

In a CAPP environment, the audit trail is considered so important
       that access to system resources must be denied if an audit trail
       cannot be created. In this environment, it would be suggested
       that /var/log/audit be on its own partition. This is to ensure
       that space detection is accurate and that no other process comes
       along and consumes part of it.

The flush parameter should be set to sync or data.

Max_log_file and num_logs need to be adjusted so that you get complete use of your partition. It should be noted that the more files that have to be rotated, the longer it takes to get back to receiving audit events. Max_log_file_action should be set to keep_logs.

Space_left should be set to a number that gives the admin enough time to react to any alert message and perform some maintenance to free up disk space. This would typically involve running the aureport -t report and moving the oldest logs to an archive area. The value of space_left is site dependent since the rate at which events are generated varies with each deployment. The space_left_action is recommended to be set to email. If you need something like an snmp trap, you can use the exec option to send one.

Admin_space_left should be set to the amount of disk space on the audit partition needed for admin actions to be recorded. Admin_space_left_action would be set to single so that use of the machine is restricted to just the console.

The disk_full_action is triggered when no more room exists on the partition. All access should be terminated since no more audit capability exists. This can be set to either single or halt.

The disk_error_action should be set to syslog, single, or halt depending on your local policies regarding handling of hardware malfunctions.

Specifying a single allowed client port may make it difficult for the client to restart their audit subsystem, as it will be unable to recreate a connection with the same host addresses and ports until the connection closure TIME_WAIT state times out.

Auditd events are made up of one or more records. The auditd system cannot guarantee that the set of records that make up an event will occur atomically, that is the stream will have interleaved records of different events, IE

event0_record0 event1_record0 event2_record0 event1_record3 event2_record1 event1_record4 event3_record0

The auditd system does not guarantee that the records that make up an event will appear in order. Thus, when processing event streams, we need to maintain a list of events with their own list of records hence List of List (LOL) event processing.

When processing an event stream we define the end of an event via

record type = AUDIT_EOE (audit end of event type record), or record type = AUDIT_PROCTITLE (we note the AUDIT_PROCTITLE is always the last record), or record type = AUDIT_KERNEL (kernel events are one record events), or record type < AUDIT_FIRST_EVENT (only single record events appear before this type), or record type >= AUDIT_FIRST_ANOM_MSG (only single record events appear after this type), or record type >= AUDIT_MAC_UNLBL_ALLOW && record type <= AUDIT_MAC_CALIPSO_DEL (these are also one record events), or for the stream being processed, the time of the event is over end_of_event_timeout seconds old.