From owner-freebsd-doc@FreeBSD.ORG Mon Mar 31 14:12:02 2014 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8CA41767; Mon, 31 Mar 2014 14:12:02 +0000 (UTC) Received: from gamma.ukrhub.net (gamma.ukrhub.net [94.125.120.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gamma.ukrhub.net", Issuer "gamma.ukrhub.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E60E267; Mon, 31 Mar 2014 14:12:01 +0000 (UTC) Received: from gamma.ukrhub.net (localhost [127.0.0.1]) by gamma.ukrhub.net (8.14.8/8.14.8) with ESMTP id s2VE0gdG003792 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 31 Mar 2014 17:00:42 +0300 (EEST) (envelope-from ds@ukrhub.net) Received: (from ds@localhost) by gamma.ukrhub.net (8.14.8/8.14.8/Submit) id s2VE0gpT003791; Mon, 31 Mar 2014 17:00:42 +0300 (EEST) (envelope-from ds@ukrhub.net) X-Authentication-Warning: gamma.ukrhub.net: ds set sender to ds@ukrhub.net using -f Date: Mon, 31 Mar 2014 17:00:42 +0300 From: Taras Korenko To: Dru Lavigne Subject: Re: en/handbook/audit: proposed corrections Message-ID: <20140331140042.GC2139@gamma.ukrhub.net> References: <20140329161905.GB92398@gamma.ukrhub.net> <1396272521.45856.YahooMailNeo@web184906.mail.gq1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1396272521.45856.YahooMailNeo@web184906.mail.gq1.yahoo.com> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: "freebsd-doc@freebsd.org" X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Taras Korenko List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 14:12:02 -0000 On Mon, Mar 31, 2014 at 06:28:41AM -0700, Dru Lavigne wrote: > _______________________________ > > > From: Taras Korenko > >To: freebsd-doc@freebsd.org > >Sent: Saturday, March 29, 2014 12:19 PM > >Subject: en/handbook/audit: proposed corrections > > > > ...   However, those are just notes, which might require more polishing > >or wordsmithing.  So, can anyone review and/or comment the following *.diff? > > ... > A slightly modified patch is attached. If it is acceptable to you, I can commit it. > ... No objections; please, commit it. > Cheers, > > Dru > Index: chapter.xml > =================================================================== > --- chapter.xml (revision 44393) > +++ chapter.xml (working copy) > @@ -196,8 +196,10 @@ > Audit Configuration > > User space support for event auditing is installed as part > - of the base &os; operating system. Kernel support can be > - enabled by adding the following line to > + of the base &os; operating system. Kernel support is available > + in the GENERIC kernel by default, > + and &man.auditd.8; can be enabled > + by adding the following line to > /etc/rc.conf: > > auditd_enable="YES" > @@ -217,10 +219,7 @@ > Selection expressions are used in a number of places in > the audit configuration to determine which events should be > audited. Expressions contain a list of event classes to > - match, each with a prefix indicating whether matching records > - should be accepted or ignored, and optionally to indicate if > - the entry is intended to match successful or failed > - operations. Selection expressions are evaluated from left to > + match. Selection expressions are evaluated from left to > right, and two expressions are combined by appending one onto > the other. > > @@ -383,10 +382,10 @@ > > > These audit event classes may be customized by modifying > - the audit_class and audit_ > - event configuration files. > + the audit_class and > + audit_event configuration files. > > - Each audit event class is combined with a prefix > + Each audit event class may be combined with a prefix > indicating whether successful/failed operations are matched, > and whether the entry is adding or removing matching for the > class and type. summarizes > @@ -650,8 +649,8 @@ > Since audit logs may be very large, a subset of records can > be selected using auditreduce. This example > selects all audit records produced for the user > - trhodes stored in > - AUDITFILE: > + trhodes stored in > + AUDITFILE: > > &prompt.root; auditreduce -u trhodes /var/audit/AUDITFILE | praudit > > @@ -739,8 +738,8 @@ > > Automatic rotation of the audit trail file based on file > size is possible using in > - audit.control as described in - linkend="audit-config"/>. > + audit_control as described in + linkend="audit-auditcontrol"/>. > > As audit trail files can become very large, it is often > desirable to compress or otherwise archive trails once they P.S.: thanks for your huge work on the Handbook. -- WBR, Taras Korenko