From owner-svn-doc-projects@FreeBSD.ORG Thu May 9 20:59:53 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 533F339F; Thu, 9 May 2013 20:59:53 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 4467317F; Thu, 9 May 2013 20:59:53 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r49KxrWr037202; Thu, 9 May 2013 20:59:53 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r49KxrW3037201; Thu, 9 May 2013 20:59:53 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201305092059.r49KxrW3037201@svn.freebsd.org> From: Dru Lavigne Date: Thu, 9 May 2013 20:59:53 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41585 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 20:59:53 -0000 Author: dru Date: Thu May 9 20:59:52 2013 New Revision: 41585 URL: http://svnweb.freebsd.org/changeset/doc/41585 Log: This patch addresses the following: - fixes command/application tags with entities - fixes redundancy A subsequent patch will fix outstanding white space issues. Approved by: bcr (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Thu May 9 20:56:48 2013 (r41584) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Thu May 9 20:59:52 2013 (r41585) @@ -249,7 +249,7 @@ requirements. --> audit_warn - A customizable shell - script used by auditd to generate + script used by &man.auditd.8; to generate warning messages in exceptional situations, such as when space for audit records is running low or when the audit trail file has been rotated. @@ -460,9 +460,8 @@ requirements. --> The <filename>audit_control</filename> File - The audit_control file specifies a - number of defaults for the audit subsystem. Viewing the - contents of this file, we see the following: + A number of defaults for the audit subsystem are + specified in audit_control: dir:/var/audit flags:lo @@ -471,7 +470,7 @@ naflags:lo policy:cnt filesz:0 - The option is used to set one or + The entry is used to set one or more directories where audit logs will be stored. If more than one directory entry appears, they will be used in order as they fill. It is common to configure audit so that audit @@ -484,17 +483,17 @@ filesz:0 example above, successful and failed login and logout events are audited for all users. - The option defines the minimum + The entry defines the minimum percentage of free space for the file system where the audit trail is stored. When this threshold is exceeded, a warning will be generated. The above example sets the minimum free space to twenty percent. - The option specifies audit + The specifies audit classes to be audited for non-attributed events, such as the login process and system daemons. - The option specifies a + The entry specifies a comma-separated list of policy flags controlling various aspects of audit behavior. The default cnt flag indicates that the system should @@ -504,7 +503,7 @@ filesz:0 to the &man.execve.2; system call to be audited as part of command execution. - The option specifies the maximum + The entry specifies the maximum size in bytes to allow an audit trail file to grow to before automatically terminating and rotating the trail file. The default, 0, disables automatic log rotation. If the @@ -516,9 +515,9 @@ filesz:0 The <filename>audit_user</filename> File - The audit_user file permits the - administrator to specify further audit requirements for - specific users. Each line configures auditing for a user + The administrator can specify further audit requirements + for specific users in audit_user. + Each line configures auditing for a user via two fields: the first is the alwaysaudit field, which specifies a set of events that should always be audited for the user, and @@ -527,14 +526,14 @@ filesz:0 the user. The following example audit_user - file audits login/logout events and successful command - execution for the root user, and audits - file creation and successful command execution for the - www user. If used with the example - audit_control file above, the + audits login/logout events and successful command + execution for root, and audits + file creation and successful command execution for + www. If used with the above example + audit_control, the lo entry for root is redundant, and login/logout events will also be audited for - the www user. + www. root:lo,+ex:no www:fc,+ex:no @@ -553,12 +552,13 @@ www:fc,+ex:no &man.praudit.1; command converts trail files to a simple text format; the &man.auditreduce.1; command may be used to reduce the audit trail file for analysis, archiving, or printing - purposes. auditreduce supports a variety - of selection parameters, including event type, event class, + purposes. A variety of selection + parameters are supported by &man.auditreduce.1;, + including event type, event class, user, date or time of the event, and the file path or object acted on. - For example, the praudit utility will + For example, &man.praudit.1; will dump the entire contents of a specified audit log in plain text: @@ -569,7 +569,7 @@ www:fc,+ex:no the audit log to dump. Audit trails consist of a series of audit records made up - of tokens, which praudit prints + of tokens, which &man.praudit.1; prints sequentially one per line. Each token is of a specific type, such as header holding an audit record header, or path holding a file path from a @@ -605,9 +605,10 @@ trailer,133 successful execution, and the trailer concludes the record. - praudit also supports - an XML output format, which can be selected using the - argument. + XML output format is also supported by + &man.praudit.1;, + and can be selected using + . @@ -619,10 +620,9 @@ trailer,133 &prompt.root; auditreduce -u trhodes /var/audit/AUDITFILE | praudit - This will select all audit records produced for the user - trhodes stored in the - AUDITFILE - file. + This will select all audit records produced for + trhodes stored in + AUDITFILE. @@ -674,7 +674,7 @@ trailer,133 SSH session, then a continuous stream of audit events will be generated at a high rate, as each event being printed will generate another event. It is advisable to run - praudit on an audit pipe device from + &man.praudit.1; on an audit pipe device from sessions without fine-grained I/O auditing in order to avoid this happening. @@ -685,10 +685,10 @@ trailer,133 Audit trails are written to only by the kernel, and managed only by the audit daemon, - auditd. Administrators should not + &man.auditd.8;. Administrators should not attempt to use &man.newsyslog.conf.5; or other tools to directly rotate audit logs. Instead, the - audit management tool may be used to shut + &man.audit.8; management tool may be used to shut down auditing, reconfigure the audit system, and perform log rotation. The following command causes the audit daemon to create a new audit log and signal the kernel to switch to @@ -699,7 +699,7 @@ trailer,133 &prompt.root; audit -n - If the auditd daemon is not + If &man.auditd.8; is not currently running, this command will fail and an error message will be produced. @@ -714,7 +714,7 @@ trailer,133 new /etc/crontab. Automatic rotation of the audit trail file based on file - size is possible via the option in + size is possible using in &man.audit.control.5;, and is described in the configuration files section of this chapter.