-, - . . - 5-45 - , . - - . - , - , , - . , . , . , , - - . , . , - . . - -, . , , . , . , - - . - , . , - . - , - , - . . - , . - - , , - ; , . , , , , . .    (audit collection file) - , - ; , - , , . . - 5-46 -  (audit compaction file) - , ; , - . - , , .  (audit daemon) - -, . - , - . - , .  (audit session) -  - . , - . , , , . , - .  (audit subsystem)  - , . - , , , .  (audit trail) -  , .  (audit reduction) - - , - , , . - . configaudit - , - .  (event control mask) - , - . , - , , - . - .  (event disposition mask) - - , - . - - , - , - . , . . - 5-47 -  (event type) -  - . , , , - . - , , - . .  (object) - , (- , , , , - , ). - (post-selection) -  . - , . - , , - .  (pre-selection)  . , . - , , .  (selection files)  - . - , .  (subject) -  , , - , , - . suspendaudit - , - .  (system audit mask) -  , ; - , , - .  (user audit mask) -  , - , , . writeaudit - , - . . - 5-48 -   - , , - UNIX. - . - SGID SUID - , , .. . - , .. . , - , sticky- - . - .  SUID/SGID sticky-  SUID, SGID sticky- , . , SUID/SGID , . : $ id uid=76(blf) gid=11(guru) $ ls -l myprogram -rwsrwsrwt 1 root bin 10240 Jan 11 22:45 myprogram $ cat sneakyprog > myprogram $ ls -l myprogram -rwxrwxrwx 1 root bin 10240 Mar 18 14:18 myprogram $ $ ls -l anotherprog -rws------ 1 blf guru 83706 Dec 15 1987 anotherprog $ strip anotherprog $ ls -l anotherprog -rwx------ 1 blf guru 17500 Mar 18 14:19 anotherprog $ , , . , , . , . - , . , sticky- , , . , . - 5-49 - - , , , - . SUID, SGID sticky . SUID SGID , - sticky- . . Sticky-  sticky- . sticky- , - -. . sticky- -. Sticky- , sticky- , , - chmod(C) chmod(S). , sticky-, . , sticky- . , - . , sticky-, umask, 077 (, ), . . , - , - . . $ id uid=76(blf) gid=11(guru) $ ls -al /tmp total 64 drwxrwxrwt 2 bin bin 1088 Mar 18 21:10 . dr-xr-xr-x 19 bin bin 608 Mar 18 11:50 .. -rw------- 1 blf guru 19456 Mar 18 21:18 Ex16566 -rw------- 1 blf guru 10240 Mar 18 21:18 Rx16566 -rwxr-xr-x 1 blf guru 19587 Mar 17 19:41 mine -rw------- 1 blf guru 279 Mar 17 19:41 mytemp -rw-rw-rw- 1 root sys 35 Mar 16 12:27 openfile -rw------- 1 root root 32 Mar 10 10:26 protfile $ rm /tmp/Ex16566 rm: /tmp/Ex16566 not removed. Permission denied ( ... . ) $ rm /tmp/protfile rm: /tmp/protfile not removed. Permission denied $ cat /tmp/openfile Ha! Ha! You can't remove me. (-! ) $ rm /tmp/openfile . - 5-50 - rm: /tmp/openfile not removed. Permission denied $ rm -f /tmp/openfile $ rm /tmp/mine mytemp $ ls -l /tmp drwxrwxrwt 2 bin bin 1088 Mar 18 21:19 . dr-xr-xr-x 19 bin bin 608 Mar 18 11:50 .. -rw------- 1 blf guru 19456 Mar 18 21:18 Ex16566 -rw------- 1 blf guru 10240 Mar 18 21:18 Rx16566 -rw-rw-rw- 1 root sys 35 Mar 16 12:27 openfile -rw------- 1 root root 32 Mar 10 10:26 protfile $ cp /dev/null /tmp/openfile $ cat /tmp/openfile $ cp /dev/null /tmp/protfile cp: cannot create /tmp/protfile (cp ) $ ls -l /tmp drwxrwxrwt 2 bin bin 1088 Mar 18 21:19 . dr-xr-xr-x 19 bin bin 608 Mar 18 11:50 .. -rw------- 1 blf guru 19456 Mar 18 21:18 Ex16566 -rw------- 1 blf guru 10240 Mar 18 21:18 Rx16566 -rw-rw-rw- 1 root sys 0 Mar 18 21:19 openfile -rw------- 1 root root 32 Mar 10 10:26 protfile $ - , blf, - . , /tmp/openfile. - blf ; umask . , /tmp/protfile sticky- /tmp /tmp/protfile . sticky-. ( ): * /tmp * /usr/tmp * /usr/spool/uucppublic , sticky- , . - sticky- ( directory - ): chmod u+t directory . - 5-51 -   - , (Protected Domain), SUID - . SUID , , , SUID, . promain(M) " " (User's Reference). auths(C) setauths(S). - , SUID4; . , - .   , , . , - .  . /etc/passwd  /etc/group , . - , - . - , , - . tar(C) -o, . - . cpio(C) , -. , , . , , , - SUID, SGID sticky. - . , - , , . , -tv tar -tv cpio - . . - 5-52 - , . - , .   , - , , . . : . : . , , - . - . , - . mount(ADM) - . fsck(ADM) -  . -   ,  System-> Software->Permissions. , . - , - - , sticky-, , SUID/SGID , - . - , . SUID, SGID sticky, , - , . -s ncheck(ADM), . - , , - . - , , - . , . . - 5-53 -   - crypt(C). " " " " (User's Guide).  , . .  GID  (GID) - GID /- . , GID - . GID , GID . GID - , ( directory - ): chmod g+s directory . - 5-54 -   , , . , . , . /etc/fsck , , . , - , fsck, . fsck - . , fsck , "" (quiescent). , . , fsck - 1lost+found3  , , - . fsck sysadmsh: Filesystems->Check , .   . - . - , , , . . - 5-55 -   , , . - , , , . - , , - : 1. . 2. . 3. . 4. . , "- ". (  Single-user,  S), init(M).   , , , - - . - . authcap(F) " " (User's Reference).  - . sysadmsh(ADM) - , . - . . , - ( , - , - )  . , auth. . . - 5-56 - . , - , / - , , - . - , , - - - - . , . , /dev/ttya /dev/ttyA - , - - . init(M) getty(M), - , - . . - - ( /etc/passwd) - , - . - - , - , - , - . - , ( , ) . . ( , , - ..). - - , - . - , - , . - 5-57 - - . - - . , - - . , - - , , . -  (TCB). , TCB. TCB. integrity(ADM) TCB .   - authck(ADM). , - . - -a - , authck crontab at. authck(ADM).   integrity(ADM) . ( sysadmin, -.) - , , . , : // ? ? ( - -e integrity.) . - 5-58 - ? ? ? , . - , , integrity, . -e integrity () . -m , - , . - . integrity . - , - . , , - integrity -m , - . , - , . -v integrity , , . . , , - , . . - 5-59 -  ,  , . , , - .   , - , , . Login incorrect. ( ) . , , , - , . Account is disabled - see Authentification Administrator. ( - ) . 1. Accounts-> User->Examine:Logins sysadmsh. - , , - . 2. . . , . . 3. , , - . - . - . , - , - - , . , , - , , . . - 5-60 - Terminal is disabled - see Authentification Administrator. ( - ) . , sysadmsh, - ( - ) , - . , - , sysadmsh . Account is disabled but console login is allowed. Terminal is disabled but root login is allowed. ( , ; , root) - - . , - ( ) , - , , -- . - , . , - , , . , - , , - , , . - , -.   :  ,   , - -  -. , , , - - -. . Audit: file system is getting full (: ) - , - . , . , - , - . () - . . - auditd. . - 5-61 - , - -. - System->Audit->Disable sysadmsh , . , . Authentication database contains an inconsistency ( ) , TCB . . - , , - , , - , ; . , - . , . , , - . , - , ,  .   You do not have authorization to run ... . ( ...) . - , / . , Accounts->User->Examine->Authorizations sysadmsh, . :  -  , - .  , ,  . . , - . - , - . . - 5-62 -   - , - , , . ,