Date: Thu, 9 May 2013 20:59:53 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41585 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit Message-ID: <201305092059.r49KxrW3037201@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu May 9 20:59:52 2013 New Revision: 41585 URL: http://svnweb.freebsd.org/changeset/doc/41585 Log: This patch addresses the following: - fixes command/application tags with entities - fixes redundancy A subsequent patch will fix outstanding white space issues. Approved by: bcr (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Thu May 9 20:56:48 2013 (r41584) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Thu May 9 20:59:52 2013 (r41585) @@ -249,7 +249,7 @@ requirements. --> <listitem> <para><filename>audit_warn</filename> - A customizable shell - script used by <application>auditd</application> to generate + script used by &man.auditd.8; to generate warning messages in exceptional situations, such as when space for audit records is running low or when the audit trail file has been rotated.</para> @@ -460,9 +460,8 @@ requirements. --> <sect3 id="audit-auditcontrol"> <title>The <filename>audit_control</filename> File</title> - <para>The <filename>audit_control</filename> file specifies a - number of defaults for the audit subsystem. Viewing the - contents of this file, we see the following:</para> + <para>A number of defaults for the audit subsystem are + specified in <filename>audit_control</filename>:</para> <programlisting>dir:/var/audit flags:lo @@ -471,7 +470,7 @@ naflags:lo policy:cnt filesz:0</programlisting> - <para>The <option>dir</option> option is used to set one or + <para>The <option>dir</option> entry is used to set one or more directories where audit logs will be stored. If more than one directory entry appears, they will be used in order as they fill. It is common to configure audit so that audit @@ -484,17 +483,17 @@ filesz:0</programlisting> example above, successful and failed login and logout events are audited for all users.</para> - <para>The <option>minfree</option> option defines the minimum + <para>The <option>minfree</option> entry defines the minimum percentage of free space for the file system where the audit trail is stored. When this threshold is exceeded, a warning will be generated. The above example sets the minimum free space to twenty percent.</para> - <para>The <option>naflags</option> option specifies audit + <para>The <option>naflags</option> specifies audit classes to be audited for non-attributed events, such as the login process and system daemons.</para> - <para>The <option>policy</option> option specifies a + <para>The <option>policy</option> entry specifies a comma-separated list of policy flags controlling various aspects of audit behavior. The default <literal>cnt</literal> flag indicates that the system should @@ -504,7 +503,7 @@ filesz:0</programlisting> to the &man.execve.2; system call to be audited as part of command execution.</para> - <para>The <option>filesz</option> option specifies the maximum + <para>The <option>filesz</option> entry specifies the maximum size in bytes to allow an audit trail file to grow to before automatically terminating and rotating the trail file. The default, 0, disables automatic log rotation. If the @@ -516,9 +515,9 @@ filesz:0</programlisting> <sect3 id="audit-audituser"> <title>The <filename>audit_user</filename> File</title> - <para>The <filename>audit_user</filename> file permits the - administrator to specify further audit requirements for - specific users. Each line configures auditing for a user + <para>The administrator can specify further audit requirements + for specific users in <filename>audit_user</filename>. + Each line configures auditing for a user via two fields: the first is the <literal>alwaysaudit</literal> field, which specifies a set of events that should always be audited for the user, and @@ -527,14 +526,14 @@ filesz:0</programlisting> the user.</para> <para>The following example <filename>audit_user</filename> - file audits login/logout events and successful command - execution for the <username>root</username> user, and audits - file creation and successful command execution for the - <username>www</username> user. If used with the example - <filename>audit_control</filename> file above, the + audits login/logout events and successful command + execution for <username>root</username>, and audits + file creation and successful command execution for + <username>www</username>. If used with the above example + <filename>audit_control</filename>, the <literal>lo</literal> entry for <username>root</username> is redundant, and login/logout events will also be audited for - the <username>www</username> user.</para> + <username>www</username>.</para> <programlisting>root:lo,+ex:no www:fc,+ex:no</programlisting> @@ -553,12 +552,13 @@ www:fc,+ex:no</programlisting> &man.praudit.1; command converts trail files to a simple text format; the &man.auditreduce.1; command may be used to reduce the audit trail file for analysis, archiving, or printing - purposes. <command>auditreduce</command> supports a variety - of selection parameters, including event type, event class, + purposes. A variety of selection + parameters are supported by &man.auditreduce.1;, + including event type, event class, user, date or time of the event, and the file path or object acted on.</para> - <para>For example, the <command>praudit</command> utility will + <para>For example, &man.praudit.1; will dump the entire contents of a specified audit log in plain text:</para> @@ -569,7 +569,7 @@ www:fc,+ex:no</programlisting> the audit log to dump.</para> <para>Audit trails consist of a series of audit records made up - of tokens, which <command>praudit</command> prints + of tokens, which &man.praudit.1; prints sequentially one per line. Each token is of a specific type, such as <literal>header</literal> holding an audit record header, or <literal>path</literal> holding a file path from a @@ -605,9 +605,10 @@ trailer,133</programlisting> successful execution, and the <literal>trailer</literal> concludes the record.</para> - <para><command>praudit</command> also supports - an XML output format, which can be selected using the - <option>-x</option> argument.</para> + <para><acronym>XML</acronym> output format is also supported by + &man.praudit.1;, + and can be selected using + <option>-x</option>.</para> </sect2> <sect2> @@ -619,10 +620,9 @@ trailer,133</programlisting> <screen>&prompt.root; <userinput>auditreduce -u trhodes /var/audit/AUDITFILE | praudit</userinput></screen> - <para>This will select all audit records produced for the user - <username>trhodes</username> stored in the - <filename><replaceable>AUDITFILE</replaceable></filename> - file.</para> + <para>This will select all audit records produced for + <username>trhodes</username> stored in + <filename><replaceable>AUDITFILE</replaceable></filename>.</para> </sect2> <sect2> @@ -674,7 +674,7 @@ trailer,133</programlisting> SSH session, then a continuous stream of audit events will be generated at a high rate, as each event being printed will generate another event. It is advisable to run - <command>praudit</command> on an audit pipe device from + &man.praudit.1; on an audit pipe device from sessions without fine-grained I/O auditing in order to avoid this happening.</para> </warning> @@ -685,10 +685,10 @@ trailer,133</programlisting> <para>Audit trails are written to only by the kernel, and managed only by the audit daemon, - <application>auditd</application>. Administrators should not + &man.auditd.8;. Administrators should not attempt to use &man.newsyslog.conf.5; or other tools to directly rotate audit logs. Instead, the - <command>audit</command> management tool may be used to shut + &man.audit.8; management tool may be used to shut down auditing, reconfigure the audit system, and perform log rotation. The following command causes the audit daemon to create a new audit log and signal the kernel to switch to @@ -699,7 +699,7 @@ trailer,133</programlisting> <screen>&prompt.root; <userinput>audit -n</userinput></screen> <warning> - <para>If the <application>auditd</application> daemon is not + <para>If &man.auditd.8; is not currently running, this command will fail and an error message will be produced.</para> </warning> @@ -714,7 +714,7 @@ trailer,133</programlisting> new <filename>/etc/crontab</filename>.</para> <para>Automatic rotation of the audit trail file based on file - size is possible via the <option>filesz</option> option in + size is possible using <option>filesz</option> in &man.audit.control.5;, and is described in the configuration files section of this chapter.</para> </sect2>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305092059.r49KxrW3037201>