, . - , . . : Write to disk...   ( ) , - . - , , . - , - . , - . . . - -. , , . - . , 1024 ( ). Wake up daemon... ( ) . - , - . , . - - 4 5 . , , - , , . 4096 5120 . 4096 . . - 5-30 - Collection buffers ( ) , . - , . , - . , -. . - 4-6 - . . - . Collection/Audit output file switch... ( / ) , - . - , . - , . , , - , , . , . , , , . - 50 , - - 1 . , - , , - ulimit, - , . Compacted audit output files ( ) , - . , - , 60 . - , . . - 5-31 - Enable audit on system startup ( ) , . View; - , . , . Shutdown gracefully on disk full ( ) - , ; . Change parameters for this/future session ( / ) - / .   , Collection, - . - , , , , , , . , . Summary: +--------------------------------------------------------------- | *** Audit Subsystem Statistics *** | ( ) | Current Audit Session-6 ( - 6) | Current Collection File Sequence Number-1488 | ( ) | Total count of audit data written: 7659433 | ( ) | Total count of audit records written: 156666 | ( ) | Audit records written by applications: 81 | ( , ) | Audit records written by system calls: 155083 | ( , ) | System calls not selected for audit: 751889 | ( , ) | Total number of audit device reads: 2977 | ( ) | Total number of audit device writes: 324 | ( ) | Total number of collection files: 1489 | ( ) | . - 5-32 - / , - sysadmsh: System->Audit->Enable System->Audit->Disable , - , . - ( ). , . , , , , , - . - , , - . - - - , - sysadmsh. - , ; - , , , . sysadmsh : System->Audit->Files : List  Backup - Delete Restore - - , - . , , . . - , , - . . - 5-33 - : , . , , , , , - . - /. Backup . , (. ). , - . - , .  . - , . , , , . , , . , , - Restore. - . Delete. , - , - . . - (. ) - , . - Delete, , . . - 5-34 - - , - sysadmsh: System->Audit->Report : List  View Create Modify Delete Generate , , - . , - ,  ( ), .. - - . - , . Generate -, , - . . , - , . -  . . , . , . , , . , . List, View, Create, Modify  Delete. - . - 5-35 - . , - , , - . , , , - . : Event types , - , "Y". , , - "N". , . Start and Stop times , - , - , , . , . Users/Groups / . - - , - , , . - . Files ( - ). -  , - . , - . . - , - , . , - , . , - . , , - . - 5-36 - . , , . - , - , - (, ), - ( ) , . , , - .   reduce Audit Report , , . , . , . , , , , - . - , . , - , . , : , . . - , , . , fork(S) . open(S) - , , . , mount(S) link(S), - ; . - . : , , . - . , , . , . . 60 . , . . . - 5-37 - (, fcntl(S), msgsys(S), shmsys(S), semsys(S)), . , fcntl(S) , , , . ( - ), . , , - , . . , (, open(S)), . - , , , - , , , , . , , , . 5-1. - , , - . Process ID: 68 Date/Time: Sat Mar 5 13:25:09 1988 Luid: root Euid: root Ruid: root Egid: root Rgid: root Event type: System call: Result:  5-1. , . . - . - . , UNIX : - . , msgsys() - IPC - . msgget(S), msgop(S)  msgctl(S), IPC. . - . - successful (). , , . , open(S), - - , access denial ( - ). , - , . . - 5-38 - . , . , fork(S) - , - , . - , open(S) - . , close(S), . , . - , , - . - , . pipe fork kill setuid setgid exit read setpgrp msg sem shm write  5-2. - , 5-3. - setuid(S). Process ID: 6381 Date/Time: Tue Mar 15 11:25:19 1988 Luid: blf Euid: blf Ruid: root Egid: root Rgid: root Event type: Modify process ( : ) System call: Setuid Result: Successful  5-3. setuid(S) setuid(S), - - . , , . Process ID: 6381 Date/Time: Tue Mar 15 11:25:19 1988 Luid: blf Euid: blf Ruid: blf Egid: guru Rgid: guru Event type: Modify process System call: Setuid Result: Failed (EPERM) -Not owner (: )  5-4. , . , , . - 5-39 - security(S) . - . (, - ). close(S), dup(S) fcntl(S) - , . , dup(S) , , . , reduce . read(S) write(S) 5-3, - , . . , . reduce . exec(S), exece(S), close(S) exit(S), , , . 5-5. Process ID: 421 Date/Time: Sat Mar 5 17:15:09 1988 Luid: blf Euid: blf Ruid: blf Egid: guru Rgid: guru Event type: Make object unavailable ( ) System call: Close File Access-Read: Yes Written: No ( : : ) Object: /tmp/datafile Result: Successful  5-5. close(S) , 5-6, . - . (link(S) mount(S)) . open unlink creat exec chdir mknod chown chmod stat umount exece chroot link mount  5-6. - . . - , - . - , , , . - 5-40 - . - , dup(S), , . 5-7 - , creat(S). - , . Process ID: 64 Date/Time: Sat Mar 5 23:25:09 1988 Luid: root Euid: root Ruid: root Egid: root Rgid: root Event type: Object creation ( ) System call: Creat Object: /tmp/daemon.out Result: Successful  5-7. . (link(S) mount(S)) : . , - link(S), 5-8. Process ID: 14231 Date/Time: Thu Mar 16 03:25:39 1988 Luid: lp Euid: lp Ruid: lp Egid: lp Rgid: lp Event type: Object creation System call: Link Source: /tmp/printfile Target: /usr/spool/lp/lp3014 Result: Successful  5-8. - . chown(S) chmod(S), . , - , . 5-9 - chmod(S). Process ID: 6841 Date/Time: Sat Mar 5 13:25:09 1988 Luid: blf Euid: blf Ruid: blf Egid: guru Rgid: guru Event type: Discretionary Access Change ( ) System call: Chmod Object: /tmp/demo/newfile Old values: Owner-blf Group-guru Mode-100600 ( : ... ... ...) New values: Owner-blf Group-guru Mode-100666 ( .) Result: Successful  5-9. chmod(S) . - 5-41 - , - . . , - , - . : * * * * * * , . , , . . , - , . . , - . . - , - , . . - - , - . , , ( ) . , , . : , , . , . , - . , , . 5-10 . . - 5-42 - Process ID: 2812 Date/Time: Fri Mar 4 10:31:14 1988 Event type: Login/Logoff Activity ( : ) Action: Successful Login (: ) Username: blf ( :...) Terminal: /dev/tty2 (:...)  5-10. ( , ) . , - . : , , - . 5-11 - . Process ID: 7314 Date/Time: Tue Mar 1 18:30:44 1988 Event type: Authentication database activity ( ) Action: Unsuccessful password change ( ) Username: blf  5-11. , , , . , - , . - , , , , - , , . Process ID: 7314 Date/Time: Tue Mar 1 18:30:44 1988 Event type: Authentication database activity Command: authck Object: Protected password database (: ) Value: Expected-0 Actual-0 (: - 0, - 0) Security action: /tcb/files/auth/code (, :...) Result: extraneous file in protected password hierarchy (: )  5-12. . - 5-43 - , , . audit sysadmsh auditd , - . , - . : ; ; ; ; ; ; . - , . - . 5-13 - , . Process ID: 517 Date/Time: Wed Mar 2 8:30:04 1988 Event type: Audit subsystem activity ( ) Action: Audit enabled ( )  5-13. . , . , - , - . , . , - , . , - . , , . 5- 14 , . Process ID: 2812 Date/Time: Fri Mar 4 10:31:14 1988 Event type: Authorized subsystem activity ( ) Subsystem: System Administrator Subsystem (: ) Security action: Update /etc/rc (, : ...) Result: Cannot open for update (: )  5-14. . - 5-44 - / - , - , . - , , - , - - . , - , , . , - . - . - , . Process ID: 517 Date/Time: Wed Mar 2 8:30:04 1988 Event type: System administrator activity ( ) Action: User account locked by system administrator ( ) Username: root ( : ...)  5-15.   , - , . - . , - . - . - , . - , , . - , . - . -