Date: Thu, 12 Oct 2006 11:00:55 +0800 From: "=?GB2312?B?1Pi6o8zO?=" <nocooling@gmail.com> To: trustedbsd-audit@freebsd.org Subject: Re: Audit handbook chapter review Message-ID: <9d688f090610112000n696e0823nda21d80f4f1a2fee@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello Robert: I found some confusion description in Chapter 16.4.1. According to the source codes of trustedbsd, you can find the symbol '^' do not just mean "Audit neither successful nor failed events in this class". Particularly in the config file, audit_user, you can find the symbol '^' can be use to restrict both always audit and never audit items. For example: www:no:+all,^+ad,^+lo This config item means that no special events should be always audit for www user, and we never care all success events for him, except the events belong to ad and lo class. So, at here ^+ad means to audit +ad events. I think it is more exactly to describe symbol '^' as counter or minus computation. (+all)-(+ad)-(+lo)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9d688f090610112000n696e0823nda21d80f4f1a2fee>