From owner-cvs-doc@FreeBSD.ORG Sat Feb 4 20:54:08 2006 Return-Path: X-Original-To: cvs-doc@FreeBSD.org Delivered-To: cvs-doc@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9852216A420; Sat, 4 Feb 2006 20:54:08 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CFBF43D46; Sat, 4 Feb 2006 20:54:08 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k14Ks8h3055236; Sat, 4 Feb 2006 20:54:08 GMT (envelope-from rwatson@repoman.freebsd.org) Received: (from rwatson@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k14Ks8EO055235; Sat, 4 Feb 2006 20:54:08 GMT (envelope-from rwatson) Message-Id: <200602042054.k14Ks8EO055235@repoman.freebsd.org> From: Robert Watson Date: Sat, 4 Feb 2006 20:54:08 +0000 (UTC) To: doc-committers@FreeBSD.org, cvs-doc@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: doc/en_US.ISO8859-1/books/handbook/audit chapter.sgml X-BeenThere: cvs-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the doc and www trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Feb 2006 20:54:08 -0000 rwatson 2006-02-04 20:54:08 UTC FreeBSD doc repository Modified files: en_US.ISO8859-1/books/handbook/audit chapter.sgml Log: Some edits of the audit handbook chapter: Rename section "Security Event Auditing" from "Kernel Event Auditing" -- while most of our events are currently generated by the kernel, the intent is that it will be whole system auditing. More carefully distinguish our implementation being based on Sun's published API and file format, and not their implementation. Clarify a few more things audit can be used for, including post-mortem analysis and intrusion detection. Mention Mac OS X compatibility in addition to Darwin. Sort glossary slightly differently -- events before classes, since classes are defined in terms of events. Tweak definition and examples. Mention non-attributable vs attributable here. Mention that classes allow administrators to specify auditing requirements at a high level. Describe contents of a record. Define 'trail'. Since audit is now part of the base system, remove directions for installing files, etc, since complete installs should have them, and if they don't, the user should seek support. Mention that audit trails are happiest on a file system of their own. Update example flags option in audit_control -- add information on the new default, but keep the current example because the new default doesn't reflect the scope of possible expressions, whereas the earlier example did. Rephrase paragraph on avoiding directly manipulating logs in order to explain that this is because the kernel/daemon own the log until it is terminated. Correct example: auditreduce just reduces, not prints, so |praudit is needed or the user will experience the power of raw BSM's effects on his or her terminal. Much suggested by: brueffer Reviewed by: brueffer Revision Changes Path 1.8 +78 -46 doc/en_US.ISO8859-1/books/handbook/audit/chapter.sgml