この付録では,Tru64 UNIX に提供されている省略時の監査可能イベント (/etc/sec/audit_events
) および省略時の監査イベント・エイリアス (/etc/sec/event_aliases
) のファイルを示します。
B.1 省略時の監査可能イベント・ファイル
以下に,省略時の
/etc/sec/audit_events
ファイルを示します。
! Audited system calls: exit succeed fail fork succeed fail old open succeed fail close succeed old creat succeed fail link succeed fail unlink succeed fail execv succeed fail chdir succeed fail fchdir succeed fail mknod succeed fail chmod succeed fail chown succeed fail getfsstat succeed fail mount succeed fail unmount succeed fail setuid succeed fail exec_with_loader succeed fail ptrace succeed fail nrecvmsg succeed fail nsendmsg succeed fail nrecvfrom succeed fail naccept succeed fail access succeed fail kill succeed fail old stat succeed fail setpgid succeed fail old lstat succeed fail dup succeed fail pipe succeed fail open succeed fail setlogin succeed fail acct succeed fail classcntl succeed fail ioctl succeed fail reboot succeed fail revoke succeed fail symlink succeed fail readlink succeed fail execve succeed fail chroot succeed fail old fstat succeed fail vfork succeed fail stat succeed fail lstat succeed fail mmap succeed fail munmap succeed fail mprotect succeed fail old vhangup succeed fail kmodcall succeed fail setgroups succeed fail setpgrp succeed fail table succeed fail sethostname succeed fail dup2 succeed fail fstat succeed fail fcntl succeed fail setpriority succeed fail socket succeed fail connect succeed fail accept succeed fail bind succeed fail setsockopt succeed fail recvmsg succeed fail sendmsg succeed fail settimeofday succeed fail fchown succeed fail fchmod succeed fail recvfrom succeed fail setreuid succeed fail setregid succeed fail rename succeed fail truncate succeed fail ftruncate succeed fail setgid succeed fail sendto succeed fail shutdown succeed fail socketpair succeed fail mkdir succeed fail rmdir succeed fail utimes succeed fail adjtime succeed fail sethostid succeed fail old killpg succeed fail setsid succeed fail pid_unblock succeed fail getdirentries succeed fail statfs succeed fail fstatfs succeed fail setdomainname succeed fail exportfs succeed fail getmnt succeed fail alternate setsid succeed fail swapon succeed fail msgctl succeed fail msgget succeed fail msgrcv succeed fail msgsnd succeed fail semctl succeed fail semget succeed fail semop succeed fail lchown succeed fail shmat succeed fail shmctl succeed fail shmdt succeed fail shmget succeed fail utc_adjtime succeed fail security succeed fail kloadcall succeed fail priocntlset succeed fail sigsendset succeed fail msfs_syscall succeed fail sysinfo succeed fail uadmin succeed fail fuser succeed fail proplist_syscall succeed fail ntp_adjtime succeed fail audcntl succeed fail setsysinfo succeed fail swapctl succeed fail memcntl succeed fail SystemV/unlink succeed fail SystemV/open succeed fail RT/memlk succeed fail RT/memunlk succeed fail RT/psx4_time_drift succeed fail RT/rt_setprio succeed fail ! Audited trusted events: audit_start succeed fail audit_stop succeed fail audit_setup succeed fail audit_suspend succeed fail audit_log_change succeed fail audit_log_creat succeed fail audit_xmit_fail succeed fail audit_reboot succeed fail audit_log_overwrite succeed fail audit_daemon_exit succeed fail login succeed fail logout succeed fail auth_event succeed fail audgen8 succeed fail net_tcp_stray_packet succeed fail net_tcp_syn_timeout succeed fail net_udp_stray_packet succeed fail net_tcp_rejected_conn succeed fail ! Audited mach traps: lw_wire succeed fail lw_unwire succeed fail init_process succeed fail host_priv_self succeed fail semop_fast succeed fail ! Audited mach ipc events: task_create succeed fail task_terminate succeed fail task_threads succeed fail thread_terminate succeed fail vm_allocate succeed fail vm_deallocate succeed fail vm_protect succeed fail vm_inherit succeed fail vm_read succeed fail vm_write succeed fail vm_copy succeed fail vm_region succeed fail task_by_unix_pid succeed fail bind_thread_to_cpu succeed fail task_suspend succeed fail task_resume succeed fail task_get_special_port succeed fail task_set_special_port succeed fail thread_create succeed fail thread_suspend succeed fail thread_resume succeed fail thread_set_state succeed fail thread_get_special_port succeed fail thread_set_special_port succeed fail port_allocate succeed fail port_deallocate succeed fail port_insert_send succeed fail port_extract_send succeed fail port_insert_receive succeed fail port_extract_receive succeed fail host_processors succeed fail processor_start succeed fail processor_exit succeed fail processor_set_default succeed fail xxx_processor_set_default_priv succeed fail processor_set_tasks succeed fail processor_set_threads succeed fail host_processor_set_priv succeed fail host_processors_name succeed fail host_processor_priv succeed fail
以下に,Tru64 UNIX システムで提供されているサンプルの
/etc/sec/event_aliases
ファイルを示します。
# This is a SAMPLE alias list. Your alias list should be built to # satisfy your site's requirements. obj_creat: "old open" "old creat" link mknod open symlink mkdir SystemV/open obj_delete:unlink truncate ftruncate SystemV/unlink rmdir exec:execv exec_with_loader execve obj_access: access "old stat" "old lstat" "old open" open statfs fstatfs \ readlink "old fstat" stat lstat fstat close:1:0 dup dup2 fcntl \ "old creat" mmap munmap mprotect memcntl SystemV/open obj_modify:chmod chown fchown fchmod lchown utimes rename ipc: recvmsg nrecvmsg recvfrom nrecvfrom sendmsg nsendmsg sendto accept \ naccept connect socket bind shutdown socketpair pipe sysV_ipc \ kill "old killpg" setsockopt sigsendset net_tcp_rejected_conn \ net_udp_stray_packet sysV_ipc: msgctl msgget msgrcv msgsnd shmat shmctl shmdt shmget semctl \ semget semop proc: exit fork chdir fchdir setuid ptrace setpgid setlogin chroot vfork \ setgroups setpgrp setpriority setreuid setregid setgid audcntl \ RT/rt_setprio setsid "alternate setsid" priocntlset system: getfsstat mount unmount acct reboot table sethostname settimeofday \ adjtime sethostid setdomainname exportfs getmnt swapon utc_adjtime \ audcntl setsysinfo kloadcall getdirentries revoke "old vhangup" kmodcall \ security sysinfo uadmin swapctl misc:ioctl msfs_syscall fuser trusted_event:login logout auth_event audgen8 all: obj_creat obj_delete exec obj_access obj_modify ipc proc system misc \ trusted_event #+++++++++++++++++++++++++++++++++++++++++++++++++++++ # adjtime is being called once a sec? profile_audit: audit_start:1:1 audit_stop:1:1 audit_setup:1:1 audit_log_creat:1: 1 audit_xmit_fail:1:1 \ audit_reboot:1:1 audit_log_overwrite:1:1 audit_daemon_exit:1:1 \ settimeofday:1:1 ntp_adjtime:1:1 utc_adjtime:1:1 profile_net: connect:1:1 accept:1:1 bind:1:1 net_udp_stray_packet:1:1 net_tcp_re jected_conn:1:1 profile_netmon: net_tcp_rejected_conn:1:1 net_tcp_syn_timeout:1:1 net_tcp_stray_ packet:1:1 net_udp_stray_packet:1:1 profile_auth:login:1:1 logout:1:1 auth_event:1:1 profile_filesys:mount:1:1 unmount:1:1 profile_creat:"old creat" link mknod symlink mkdir profile_proc: setuid setgid setlogin chroot \ setsid "alternate setsid" # Definition of catagories #================================================================ # Desktop: # Provides suggested minimal auditing configuration for a single user system. C onfiguration provides # monitoring of tusted audit events, no monitoring of files, or network related events. # ---------------------------------------------------------------------------- # This alias assumes: # - Local access is primarily interactive login, generally limited to one user # at a time, activity tracked and controlled by the system. # - Individual accountability is primarily maintained by the system. # - User related file area access is only limited by file owner choice. # Browsing is unrestricted. # - System related file areas are mostly readonly. Browsing is unrestricted. # - Login uid is converted to username. # - Access to the network is monitored. # - Access to controlled files are unmonitored. Desktop: \ profile_audit \ profile_auth # Servers: # Provides suggested auditing configuration for a system which is used as a ser ver for networked based # applications (such as databases, web server, etc.). Configuration provides mon itoring of trusted # events, system files, network related files, and network related events. # ---------------------------------------------------------------------------- # This alias assumes: # -Network access is restricted to application (mail, db server, firewall, # etc.) controlled access through network mechanisms (tcp/ip reserved port, # DECnet objects, etc.) with the application being responsible for tracking # activity. Interactive access is strictly controlled by the system, activity # is tracked by the system. Application primarily handle access control, # system control is secondary. # - Local access logins are strictly controlled, activity is tracked by the # system. # - Individual accountability is primarily maintained by the applications. # - User related file area access is strictly limited to application related # files. Browsing is controlled. # - system related file areas are at most readonly for user aplication related # functions. Browsing is controlled by applications. # - Login uid is converted to username. # - Access to the network is monitored. # - Access to controlled files are monitored. Server: \ profile_audit \ profile_auth \ profile_net \ profile_filesys \ profile_proc \ profile_creat obj_delete obj_modify # Timesharing: # Provides suggested minimal auditing configuration for a system which is used to support multiple # interactive users. Configuration provides monitoring of trusted events, no mon itoring of system # files,or network related events or files. # ---------------------------------------------------------------------------- # This alias assumes: # - Local access is primarily interactive login, activity is tracked and # controlled by the system. # - Individual accountability is primarily maintained by the system. # - Interactive logins are generally unrestricted. # - User related file area access is only limited by file owner choice. # Browsing is unrestricted. # - System related file areas are mostly readonly. Browsing is unrestricted. # - Login uid is converted to username. # - Access to the network is unmonitored. # - Access to controlled files is unmonitored. Timesharing: \ profile_audit \ profile_auth # Timesharing_extended_audit: # Provides suggested auditing configuration for a system which is used to suppo rt multiple interactive # users. Configuration provides monitoring of trusted events, system files, and no monitoring of network # related events or files. # ---------------------------------------------------------------------------- # This alias assumes: # - Local access is primarily interactive login, activity is tracked and # controlled by the system. # - Individual accountability is primarily maintained by the system. # - Interactive logins are generally unrestricted.# - User related file area access is only limited by file owner choice. # Browsing is unrestricted. # - System related file areas are mostly readonly. Browsing is unrestricted. # - Access to the network is monitored. # - Access to controlled files is monitored. Timesharing_extended_audit: \ profile_audit \ profile_auth \ profile_filesys \ profile_proc \ profile_creat obj_delete obj_modify # Networked_system: # Provides suggested auditing configuration for a system which has networking e nabled. Should be used in # conjuction with Desktop, Timesharing, or Timesharing_extended_audit templates. Configuration provides # monitoring of trusted events, network related files and network related events . # ---------------------------------------------------------------------------- # This alias assumes: # - Network access is through application (mail, pinter, etc.) controlled # network mechanisms (tcp/ip reserved port, DECnet objects, etc.) which are # responsible tracking activity and controlling access, and Interative login # with the system tracking activity and controlling access. # - Access to the network is monitored. # - Access to controlled files is monitored. Networked_system: \ profile_audit \ profile_auth \ profile_net \ profile_creat obj_delete obj_modify # NIS_server: # Provides suggested auditing configuration for a system used as a NIS server. Should be used in # conjuction with Desktop, Timesharing, or Timesharing_extended_audit templates. Configuration provides # monitoring of trusted events, NIS related files and network related events. # ---------------------------------------------------------------------------- # This alias assumes: # - Network access is through application (mail, pinter, etc.) controlled # network mechanisms (tcp/ip reserved port, DECnet objects, etc.) which are # responsible tracking activity and controlling access, and Interative login # with the system tracking activity and controlling access. NIS is enabled. # - Access to the network is monitored. # - Access to controlled files is monitored. NIS_server: \ profile_audit \ profile_net \ profile_creat obj_delete obj_modify