Before reading this chapter, a few key terms must be explained. This is intended to clear up any confusion that may occur and to avoid the abrupt introduction of new terms and information.
event: An auditable event is an event that can be logged using the audit subsystem. The administrator can configure which events will be audited. Examples of security-relevant events include the creation of a file, the building of a network connection, or the logging in of a user. Events are either „attributable”, meaning that they can be traced back to a user authentication, or „non-attributable”. Examples of non-attributable events are any events that occur before authentication has succeeded in the login process, such as failed authentication attempts.
class: Events may be assigned to
one or more classes, usually based on the general category
of the events, such as „file creation”,
„file access”, or „network”. Login
and logout events are assigned to the lo
class. The use of classes allows the administrator to
specify high level auditing rules without having to specify
whether each individual auditable operation will be logged.
record: A record is a log entry describing a security event. Records typically have a record event type, information on the subject (user) associated with the event, time information, information on any objects, such as files, and information on whether the event corresponded to a successful operation.
trail: An audit trail, or log file, consists of a series of audit records describing security events. Typically, trails are in roughly chronological order with respect to the time events completed. Only authorized processes are allowed to commit records to the audit trail.
prefix: A prefix is considered to be the configuration element used to toggle auditing for success and failed events.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.