From owner-trustedbsd-audit@FreeBSD.ORG  Thu Oct 12 03:00:56 2006
Return-Path: <owner-trustedbsd-audit@FreeBSD.ORG>
X-Original-To: trustedbsd-audit@freebsd.org
Delivered-To: trustedbsd-audit@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8C66416A416
	for <trustedbsd-audit@freebsd.org>;
	Thu, 12 Oct 2006 03:00:56 +0000 (UTC)
	(envelope-from nocooling@gmail.com)
Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.237])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0A20D43D4C
	for <trustedbsd-audit@freebsd.org>;
	Thu, 12 Oct 2006 03:00:55 +0000 (GMT)
	(envelope-from nocooling@gmail.com)
Received: by wx-out-0506.google.com with SMTP id i27so404692wxd
	for <trustedbsd-audit@freebsd.org>;
	Wed, 11 Oct 2006 20:00:55 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:mime-version:content-type;
	b=WXnKLnKhPdxVBrYIaxHaMgftSCLmexr231/jhFDbucgchVgzhH1dMdGZR/3eRvOMU7Pw1A4s6e4yRHtwdGqnyv/taaYTiw3IYEquJdHUa8ME+g3DBmVrDbtwbzYLy8bN8Ibi7loVT9CgoNVSuK64Xuth+BdSLgQYBj3pOV78emQ=
Received: by 10.90.52.18 with SMTP id z18mr965760agz;
	Wed, 11 Oct 2006 20:00:55 -0700 (PDT)
Received: by 10.90.66.1 with HTTP; Wed, 11 Oct 2006 20:00:54 -0700 (PDT)
Message-ID: <9d688f090610112000n696e0823nda21d80f4f1a2fee@mail.gmail.com>
Date: Thu, 12 Oct 2006 11:00:55 +0800
From: "=?GB2312?B?1Pi6o8zO?=" <nocooling@gmail.com>
To: trustedbsd-audit@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: 
Subject: Re: Audit handbook chapter review
X-BeenThere: trustedbsd-audit@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD Audit Discussion List <trustedbsd-audit.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
	<mailto:trustedbsd-audit-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-audit>
List-Post: <mailto:trustedbsd-audit@FreeBSD.org>
List-Help: <mailto:trustedbsd-audit-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
	<mailto:trustedbsd-audit-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2006 03:00:56 -0000

Hello Robert:
   I found some confusion description in Chapter 16.4.1. According to the
source codes of trustedbsd, you can find the symbol '^' do not just mean
"Audit neither successful nor failed events in this class".
    Particularly in the config file, audit_user, you can find the symbol '^'
can be use to restrict both always audit and never audit items.
    For example:
 www:no:+all,^+ad,^+lo
    This config item means that no special events should be always audit for
www user, and we never care all success events for him, except the events
belong to ad and lo class. So, at here ^+ad means to audit +ad events.
    I think it is more exactly to describe symbol '^' as counter or minus
computation.
    (+all)-(+ad)-(+lo)