Date: Fri, 10 May 2013 11:55:41 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41589 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit Message-ID: <201305101155.r4ABtfO6053742@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Fri May 10 11:55:40 2013 New Revision: 41589 URL: http://svnweb.freebsd.org/changeset/doc/41589 Log: White space fix only. Translators can ignore. Approved by: bcr (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Fri May 10 11:40:22 2013 (r41588) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Fri May 10 11:55:40 2013 (r41589) @@ -60,8 +60,8 @@ requirements. --> </listitem> <listitem> - <para>How to configure Event Auditing on &os; for users - and processes.</para> + <para>How to configure Event Auditing on &os; for users and + processes.</para> </listitem> <listitem> @@ -85,8 +85,8 @@ requirements. --> </listitem> <listitem> - <para>Have some familiarity with security and how it - pertains to &os; (<xref linkend="security"/>).</para> + <para>Have some familiarity with security and how it pertains + to &os; (<xref linkend="security"/>).</para> </listitem> </itemizedlist> @@ -104,9 +104,9 @@ requirements. --> Administrators should take into account disk space requirements associated with high volume audit configurations. For example, it may be desirable to dedicate a file system to - the <filename class="directory">/var/audit</filename> tree so that other file - systems are not affected if the audit file system becomes - full.</para> + the <filename class="directory">/var/audit</filename> tree + so that other file systems are not affected if the audit file + system becomes full.</para> </warning> </sect1> @@ -133,9 +133,9 @@ requirements. --> <listitem> <para><emphasis>class</emphasis>: Event classes are named sets of related events, and are used in selection expressions. - Commonly used classes of events include - <quote>file creation</quote> (fc), <quote>exec</quote> (ex) - and <quote>login_logout</quote> (lo).</para> + Commonly used classes of events include <quote>file + creation</quote> (fc), <quote>exec</quote> (ex) and + <quote>login_logout</quote> (lo).</para> </listitem> <listitem> @@ -199,8 +199,8 @@ requirements. --> <programlisting>options AUDIT</programlisting> <para>Rebuild and reinstall - the kernel via the normal process explained in - <xref linkend="kernelconfig"/>.</para> + the kernel via the normal process explained in <xref + linkend="kernelconfig"/>.</para> <para>Once an audit-enabled kernel is built, installed, and the system has been rebooted, enable the audit daemon by adding the @@ -249,10 +249,10 @@ requirements. --> <listitem> <para><filename>audit_warn</filename> - A customizable shell - script used by &man.auditd.8; to generate - warning messages in exceptional situations, such as when - space for audit records is running low or when the audit - trail file has been rotated.</para> + script used by &man.auditd.8; to generate warning messages + in exceptional situations, such as when space for audit + records is running low or when the audit trail file has + been rotated.</para> </listitem> </itemizedlist> @@ -400,8 +400,8 @@ requirements. --> </itemizedlist> <para>These audit event classes may be customized by modifying - the <filename>audit_class</filename> and - <filename>audit_event</filename> configuration files.</para> + the <filename>audit_class</filename> and <filename>audit_ + event</filename> configuration files.</para> <para>Each audit class in the list is combined with a prefix indicating whether successful/failed operations are matched, @@ -451,11 +451,10 @@ requirements. --> <title>Configuration Files</title> <para>In most cases, administrators will need to modify only two - files when configuring the audit system: - <filename>audit_control</filename> and - <filename>audit_user</filename>. The first controls - system-wide audit properties and policies; the second may be - used to fine-tune auditing by user.</para> + files when configuring the audit system: <filename>audit_ + control</filename> and <filename>audit_user</filename>. + The first controls system-wide audit properties and policies; + the second may be used to fine-tune auditing by user.</para> <sect3 id="audit-auditcontrol"> <title>The <filename>audit_control</filename> File</title> @@ -489,9 +488,9 @@ filesz:0</programlisting> will be generated. The above example sets the minimum free space to twenty percent.</para> - <para>The <option>naflags</option> specifies audit - classes to be audited for non-attributed events, such as the - login process and system daemons.</para> + <para>The <option>naflags</option> specifies audit classes + to be audited for non-attributed events, such as the login + process and system daemons.</para> <para>The <option>policy</option> entry specifies a comma-separated list of policy flags controlling various @@ -517,13 +516,12 @@ filesz:0</programlisting> <para>The administrator can specify further audit requirements for specific users in <filename>audit_user</filename>. - Each line configures auditing for a user - via two fields: the first is the - <literal>alwaysaudit</literal> field, which specifies a set - of events that should always be audited for the user, and - the second is the <literal>neveraudit</literal> field, which - specifies a set of events that should never be audited for - the user.</para> + Each line configures auditing for a user via two fields: + the first is the <literal>alwaysaudit</literal> field, + which specifies a set of events that should always be + audited for the user, and the second is the + <literal>neveraudit</literal> field, which specifies a set + of events that should never be audited for the user.</para> <para>The following example <filename>audit_user</filename> audits login/logout events and successful command @@ -552,15 +550,13 @@ www:fc,+ex:no</programlisting> &man.praudit.1; command converts trail files to a simple text format; the &man.auditreduce.1; command may be used to reduce the audit trail file for analysis, archiving, or printing - purposes. A variety of selection - parameters are supported by &man.auditreduce.1;, - including event type, event class, + purposes. A variety of selection parameters are supported by + &man.auditreduce.1;, including event type, event class, user, date or time of the event, and the file path or object acted on.</para> - <para>For example, &man.praudit.1; will - dump the entire contents of a specified audit log in plain - text:</para> + <para>For example, &man.praudit.1; will dump the entire + contents of a specified audit log in plain text:</para> <screen>&prompt.root; <userinput>praudit /var/audit/AUDITFILE</userinput></screen> @@ -569,11 +565,11 @@ www:fc,+ex:no</programlisting> the audit log to dump.</para> <para>Audit trails consist of a series of audit records made up - of tokens, which &man.praudit.1; prints - sequentially one per line. Each token is of a specific type, - such as <literal>header</literal> holding an audit record - header, or <literal>path</literal> holding a file path from a - name lookup. The following is an example of an + of tokens, which &man.praudit.1; prints sequentially one per + line. Each token is of a specific type, such as + <literal>header</literal> holding an audit record header, or + <literal>path</literal> holding a file path from a name + lookup. The following is an example of an <literal>execve</literal> event:</para> <programlisting>header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec @@ -606,8 +602,7 @@ trailer,133</programlisting> concludes the record.</para> <para><acronym>XML</acronym> output format is also supported by - &man.praudit.1;, - and can be selected using + &man.praudit.1;, and can be selected using <option>-x</option>.</para> </sect2> @@ -629,10 +624,10 @@ trailer,133</programlisting> <title>Delegating Audit Review Rights</title> <para>Members of the <groupname>audit</groupname> group are - given permission to read audit trails in - <filename class="directory">/var/audit</filename>; by default, this group is - empty, so only the <username>root</username> user may read - audit trails. Users may be added to the + given permission to read audit trails in <filename + class="directory">/var/audit</filename>; by default, this + group is empty, so only the <username>root</username> user + may read audit trails. Users may be added to the <groupname>audit</groupname> group in order to delegate audit review rights to the user. As the ability to track audit log contents provides significant insight into the behavior of @@ -674,9 +669,9 @@ trailer,133</programlisting> SSH session, then a continuous stream of audit events will be generated at a high rate, as each event being printed will generate another event. It is advisable to run - &man.praudit.1; on an audit pipe device from - sessions without fine-grained I/O auditing in order to avoid - this happening.</para> + &man.praudit.1; on an audit pipe device from sessions + without fine-grained I/O auditing in order to avoid this + happening.</para> </warning> </sect2> @@ -684,24 +679,23 @@ trailer,133</programlisting> <title>Rotating Audit Trail Files</title> <para>Audit trails are written to only by the kernel, and - managed only by the audit daemon, - &man.auditd.8;. Administrators should not - attempt to use &man.newsyslog.conf.5; or other tools to - directly rotate audit logs. Instead, the - &man.audit.8; management tool may be used to shut - down auditing, reconfigure the audit system, and perform log - rotation. The following command causes the audit daemon to - create a new audit log and signal the kernel to switch to - using the new log. The old log will be terminated and - renamed, at which point it may then be manipulated by the - administrator.</para> + managed only by the audit daemon, &man.auditd.8;. + Administrators should not attempt to use + &man.newsyslog.conf.5; or other tools to directly rotate + audit logs. Instead, the &man.audit.8; management tool may + be used to shut down auditing, reconfigure the audit system, + and perform log rotation. The following command causes the + audit daemon to create a new audit log and signal the kernel + to switch to using the new log. The old log will be + terminated and renamed, at which point it may then be + manipulated by the administrator.</para> <screen>&prompt.root; <userinput>audit -n</userinput></screen> <warning> - <para>If &man.auditd.8; is not - currently running, this command will fail and an error - message will be produced.</para> + <para>If &man.auditd.8; is not currently running, this + command will fail and an error message will be + produced.</para> </warning> <para>Adding the following line to @@ -710,8 +704,8 @@ trailer,133</programlisting> <programlisting>0 */12 * * * root /usr/sbin/audit -n</programlisting> - <para>The change will take effect once you have saved the - new <filename>/etc/crontab</filename>.</para> + <para>The change will take effect once you have saved the new + <filename>/etc/crontab</filename>.</para> <para>Automatic rotation of the audit trail file based on file size is possible using <option>filesz</option> in
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305101155.r4ABtfO6053742>