Date: Thu, 30 Jan 2014 05:46:43 +0000 (UTC) From: Warren Block <wblock@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43688 - head/en_US.ISO8859-1/books/handbook/audit Message-ID: <201401300546.s0U5khw0062023@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: wblock Date: Thu Jan 30 05:46:42 2014 New Revision: 43688 URL: http://svnweb.freebsd.org/changeset/doc/43688 Log: Whitespace-only fixes, translators please ignore. Modified: head/en_US.ISO8859-1/books/handbook/audit/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/audit/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/audit/chapter.xml Thu Jan 30 05:38:06 2014 (r43687) +++ head/en_US.ISO8859-1/books/handbook/audit/chapter.xml Thu Jan 30 05:46:42 2014 (r43688) @@ -9,16 +9,32 @@ And the /dev/audit special file if we ch some coverage of integrating MAC with Event auditing and perhaps discussion on how some companies or organizations handle auditing and auditing requirements. --> -<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="audit"> - <info><title>Security Event Auditing</title> + +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" + xml:id="audit"> + + <info> + <title>Security Event Auditing</title> + <authorgroup> - <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author> - <author><personname><firstname>Robert</firstname><surname>Watson</surname></personname></author> + <author> + <personname> + <firstname>Tom</firstname> + <surname>Rhodes</surname> + </personname> + <contrib>Written by </contrib> + </author> + + <author> + <personname> + <firstname>Robert</firstname> + <surname>Watson</surname> + </personname> + </author> </authorgroup> </info> - - <sect1 xml:id="audit-synopsis"> <title>Synopsis</title> @@ -189,8 +205,8 @@ requirements. --> <programlisting>options AUDIT</programlisting> - <para>Rebuild and reinstall - the kernel via the normal process explained in <xref linkend="kernelconfig"/>.</para> + <para>Rebuild and reinstall the kernel via the normal process + explained in <xref linkend="kernelconfig"/>.</para> <para>Once an audit-enabled kernel is built, installed, and the system has been rebooted, enable the audit daemon by adding the @@ -208,9 +224,8 @@ requirements. --> <title>Audit Configuration</title> <para>All configuration files for security audit are found in - <filename>/etc/security</filename>. The - following files must be present before the audit daemon is - started:</para> + <filename>/etc/security</filename>. The following files must be + present before the audit daemon is started:</para> <itemizedlist> <listitem> @@ -257,13 +272,13 @@ requirements. --> <para>Selection expressions are used in a number of places in the audit configuration to determine which events should be - audited. Expressions contain a list of event classes to match, - each with a prefix indicating whether matching records should - be accepted or ignored, and optionally to indicate if the - entry is intended to match successful or failed operations. - Selection expressions are evaluated from left to right, and - two expressions are combined by appending one onto the - other.</para> + audited. Expressions contain a list of event classes to + match, each with a prefix indicating whether matching records + should be accepted or ignored, and optionally to indicate if + the entry is intended to match successful or failed + operations. Selection expressions are evaluated from left to + right, and two expressions are combined by appending one onto + the other.</para> <para>The following list contains the default audit event classes present in <filename>audit_class</filename>:</para> @@ -478,9 +493,9 @@ filesz:0</programlisting> will be generated. The above example sets the minimum free space to twenty percent.</para> - <para>The <option>naflags</option> entry specifies audit classes - to be audited for non-attributed events, such as the login - process and system daemons.</para> + <para>The <option>naflags</option> entry specifies audit + classes to be audited for non-attributed events, such as the + login process and system daemons.</para> <para>The <option>policy</option> entry specifies a comma-separated list of policy flags controlling various @@ -514,13 +529,14 @@ filesz:0</programlisting> of events that should never be audited for the user.</para> <para>The following example <filename>audit_user</filename> - audits login/logout events and successful command - execution for <systemitem class="username">root</systemitem>, and audits - file creation and successful command execution for - <systemitem class="username">www</systemitem>. If used with the above example - <filename>audit_control</filename>, the - <literal>lo</literal> entry for <systemitem class="username">root</systemitem> is - redundant, and login/logout events will also be audited for + audits login/logout events and successful command execution + for <systemitem class="username">root</systemitem>, and + audits file creation and successful command execution for + <systemitem class="username">www</systemitem>. If used with + the above example <filename>audit_control</filename>, the + <literal>lo</literal> entry for + <systemitem class="username">root</systemitem> is redundant, + and login/logout events will also be audited for <systemitem class="username">www</systemitem>.</para> <programlisting>root:lo,+ex:no @@ -541,9 +557,9 @@ www:fc,+ex:no</programlisting> format; the &man.auditreduce.1; command may be used to reduce the audit trail file for analysis, archiving, or printing purposes. A variety of selection parameters are supported by - &man.auditreduce.1;, including event type, event class, - user, date or time of the event, and the file path or object - acted on.</para> + &man.auditreduce.1;, including event type, event class, user, + date or time of the event, and the file path or object acted + on.</para> <para>For example, &man.praudit.1; will dump the entire contents of a specified audit log in plain text:</para> @@ -584,12 +600,13 @@ trailer,133</programlisting> user ID and group ID, real user ID and group ID, process ID, session ID, port ID, and login address. Notice that the audit user ID and real user ID differ: the user - <systemitem class="username">robert</systemitem> has switched to the - <systemitem class="username">root</systemitem> account before running this command, - but it is audited using the original authenticated user. - Finally, the <literal>return</literal> token indicates the - successful execution, and the <literal>trailer</literal> - concludes the record.</para> + <systemitem class="username">robert</systemitem> has switched + to the <systemitem class="username">root</systemitem> account + before running this command, but it is audited using the + original authenticated user. Finally, the + <literal>return</literal> token indicates the successful + execution, and the <literal>trailer</literal> concludes the + record.</para> <para><acronym>XML</acronym> output format is also supported by &man.praudit.1;, and can be selected using @@ -613,15 +630,19 @@ trailer,133</programlisting> <sect2> <title>Delegating Audit Review Rights</title> - <para>Members of the <systemitem class="groupname">audit</systemitem> group are - given permission to read audit trails in <filename>/var/audit</filename>; by default, this - group is empty, so only the <systemitem class="username">root</systemitem> user - may read audit trails. Users may be added to the - <systemitem class="groupname">audit</systemitem> group in order to delegate audit - review rights to the user. As the ability to track audit log - contents provides significant insight into the behavior of - users and processes, it is recommended that the delegation of - audit review rights be performed with caution.</para> + <para>Members of the + <systemitem class="groupname">audit</systemitem> group are + given permission to read audit trails in + <filename>/var/audit</filename>; by default, this group is + empty, so only the + <systemitem class="username">root</systemitem> user may read + audit trails. Users may be added to the + <systemitem class="groupname">audit</systemitem> group in + order to delegate audit review rights to the user. As the + ability to track audit log contents provides significant + insight into the behavior of users and processes, it is + recommended that the delegation of audit review rights be + performed with caution.</para> </sect2> <sect2> @@ -640,9 +661,10 @@ trailer,133</programlisting> <screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen> <para>By default, audit pipe device nodes are accessible only to - the <systemitem class="username">root</systemitem> user. To make them accessible - to the members of the <systemitem class="groupname">audit</systemitem> group, add - a <literal>devfs</literal> rule to + the <systemitem class="username">root</systemitem> user. To + make them accessible to the members of the + <systemitem class="groupname">audit</systemitem> group, add a + <literal>devfs</literal> rule to <filename>devfs.rules</filename>:</para> <programlisting>add path 'auditpipe*' mode 0440 group audit</programlisting>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401300546.s0U5khw0062023>