Manualshelf

User`s guide

ManualsBrandsProtogate ManualsComputer equipmentFreeway 3112
11121314151617181920
Chapter 5. Auditing
This chapter describes how to setup and use system-level event auditing on a Freeway. Auditing is useful to keep
security high because it allows a system administrator to examine the past history of the Freeway system, to see
which users have logged in and exactly what they have been doing, in complete detail, all the way down to what
system calls they have made and which files they have accessed.
5.1. Configuring Auditing
The Freeway uses the auditd daemon to record system-level events, and the configuration files in the
/etc/security/ directory to control system-level event auditing. As usual with Freeway configuration file
changes, the best and most flexible way to configure system-level event auditing is to put the changes into one
centrally-located place, such as the file /usr/local/freeway/boot.src/rc.startsra, so that changes can be
controlled and preserved when the overall Freeway software is upgraded to a new version. That means that the actual
line changes necessary to enable the auditd daemon must be inserted into the appropriate files by commands in
/usr/local/freeway/boot.src/rc.startsra.
For example,
Figure 5-1 shows lines which could be added to a Freeway’s
/usr/local/freeway/boot.src/rc.startsra file to configure and enable the auditd daemon:
Figure 5-1. Configure and Enable System-Level Event Auditing
if [ ! -d /var/audit ]; then
mkdir -p -m 750 /var/audit
fi
chmod go-w /etc/security
if /usr/bin/grep "^host:" /etc/security/audit_control >/dev/null; then
echo "host line already in audit file -- will not tamper with it..."
else
echo "host:${B_FWY_SERVERNAME}" >> /etc/security/audit_control
fi
# If audit_user file has not been altered by any user, then
# add default settings for the 3 initial login accounts.
if [ 5 = ‘cat /etc/security/audit_user |wc -l‘ ]; then
echo "#" >> /etc/security/audit_user
echo "# These lines have been added to this file by the" >> /etc/security/audit_user
echo "# /usr/local/freeway/boot.src/rc.startsra command script," >> /etc/security/audit_user
echo "# to configure auditing of the 3 originally-configured" >> /etc/security/audit_user
echo "# Freeway Monitor users. To alter these settings, you should add" >> /etc/security/audit_user
echo "# echo statements in /usr/local/freeway/boot.src/rc.startsra.local," >> /etc/security/audit_user
echo "# rather than edit either /etc/security/audit_user or" >> /etc/security/audit_user
echo "# /ro/etc/security/audit_user directly; using echo statements" >> /etc/security/audit_user
echo "# will ensure that your changes are not lost or altered" >> /etc/security/audit_user
echo "# by any subsequent Freeway or Monitor software install." >> /etc/security/audit_user
echo "# See the echo statements near the end of" >> /etc/security/audit_user
echo "# /usr/local/freeway/boot.src/rc.startsra for examples." >> /etc/security/audit_user
echo "#" >> /etc/security/audit_user
echo "# All users which should be audited must be added here." >> /etc/security/audit_user
echo "#" >> /etc/security/audit_user
echo "user:ex,ap,aa,lo,ad,na,fm,fd,fc,fw,-fr:no" >> /etc/security/audit_user
echo "freeway:ex,ap,aa,lo,ad,na,fm,fd,fc,fw,-fr:no" >> /etc/security/audit_user
15