From owner-svn-doc-head@FreeBSD.ORG Thu Jan 30 05:46:43 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4D33FDAD; Thu, 30 Jan 2014 05:46:43 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 35C931471; Thu, 30 Jan 2014 05:46:43 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s0U5khb1062024; Thu, 30 Jan 2014 05:46:43 GMT (envelope-from wblock@svn.freebsd.org) Received: (from wblock@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id s0U5khw0062023; Thu, 30 Jan 2014 05:46:43 GMT (envelope-from wblock@svn.freebsd.org) Message-Id: <201401300546.s0U5khw0062023@svn.freebsd.org> From: Warren Block Date: Thu, 30 Jan 2014 05:46:43 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43688 - head/en_US.ISO8859-1/books/handbook/audit X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jan 2014 05:46:43 -0000 Author: wblock Date: Thu Jan 30 05:46:42 2014 New Revision: 43688 URL: http://svnweb.freebsd.org/changeset/doc/43688 Log: Whitespace-only fixes, translators please ignore. Modified: head/en_US.ISO8859-1/books/handbook/audit/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/audit/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/audit/chapter.xml Thu Jan 30 05:38:06 2014 (r43687) +++ head/en_US.ISO8859-1/books/handbook/audit/chapter.xml Thu Jan 30 05:46:42 2014 (r43688) @@ -9,16 +9,32 @@ And the /dev/audit special file if we ch some coverage of integrating MAC with Event auditing and perhaps discussion on how some companies or organizations handle auditing and auditing requirements. --> - - Security Event Auditing + + + + + Security Event Auditing + - TomRhodesWritten by - RobertWatson + + + Tom + Rhodes + + Written by + + + + + Robert + Watson + + - - Synopsis @@ -189,8 +205,8 @@ requirements. --> options AUDIT - Rebuild and reinstall - the kernel via the normal process explained in . + Rebuild and reinstall the kernel via the normal process + explained in . Once an audit-enabled kernel is built, installed, and the system has been rebooted, enable the audit daemon by adding the @@ -208,9 +224,8 @@ requirements. --> Audit Configuration All configuration files for security audit are found in - /etc/security. The - following files must be present before the audit daemon is - started: + /etc/security. The following files must be + present before the audit daemon is started: @@ -257,13 +272,13 @@ requirements. --> Selection expressions are used in a number of places in the audit configuration to determine which events should be - audited. Expressions contain a list of event classes to match, - each with a prefix indicating whether matching records should - be accepted or ignored, and optionally to indicate if the - entry is intended to match successful or failed operations. - Selection expressions are evaluated from left to right, and - two expressions are combined by appending one onto the - other. + audited. Expressions contain a list of event classes to + match, each with a prefix indicating whether matching records + should be accepted or ignored, and optionally to indicate if + the entry is intended to match successful or failed + operations. Selection expressions are evaluated from left to + right, and two expressions are combined by appending one onto + the other. The following list contains the default audit event classes present in audit_class: @@ -478,9 +493,9 @@ filesz:0 will be generated. The above example sets the minimum free space to twenty percent. - The entry specifies audit classes - to be audited for non-attributed events, such as the login - process and system daemons. + The entry specifies audit + classes to be audited for non-attributed events, such as the + login process and system daemons. The entry specifies a comma-separated list of policy flags controlling various @@ -514,13 +529,14 @@ filesz:0 of events that should never be audited for the user. The following example audit_user - audits login/logout events and successful command - execution for root, and audits - file creation and successful command execution for - www. If used with the above example - audit_control, the - lo entry for root is - redundant, and login/logout events will also be audited for + audits login/logout events and successful command execution + for root, and + audits file creation and successful command execution for + www. If used with + the above example audit_control, the + lo entry for + root is redundant, + and login/logout events will also be audited for www. root:lo,+ex:no @@ -541,9 +557,9 @@ www:fc,+ex:no format; the &man.auditreduce.1; command may be used to reduce the audit trail file for analysis, archiving, or printing purposes. A variety of selection parameters are supported by - &man.auditreduce.1;, including event type, event class, - user, date or time of the event, and the file path or object - acted on. + &man.auditreduce.1;, including event type, event class, user, + date or time of the event, and the file path or object acted + on. For example, &man.praudit.1; will dump the entire contents of a specified audit log in plain text: @@ -584,12 +600,13 @@ trailer,133 user ID and group ID, real user ID and group ID, process ID, session ID, port ID, and login address. Notice that the audit user ID and real user ID differ: the user - robert has switched to the - root account before running this command, - but it is audited using the original authenticated user. - Finally, the return token indicates the - successful execution, and the trailer - concludes the record. + robert has switched + to the root account + before running this command, but it is audited using the + original authenticated user. Finally, the + return token indicates the successful + execution, and the trailer concludes the + record. XML output format is also supported by &man.praudit.1;, and can be selected using @@ -613,15 +630,19 @@ trailer,133 Delegating Audit Review Rights - Members of the audit group are - given permission to read audit trails in /var/audit; by default, this - group is empty, so only the root user - may read audit trails. Users may be added to the - audit group in order to delegate audit - review rights to the user. As the ability to track audit log - contents provides significant insight into the behavior of - users and processes, it is recommended that the delegation of - audit review rights be performed with caution. + Members of the + audit group are + given permission to read audit trails in + /var/audit; by default, this group is + empty, so only the + root user may read + audit trails. Users may be added to the + audit group in + order to delegate audit review rights to the user. As the + ability to track audit log contents provides significant + insight into the behavior of users and processes, it is + recommended that the delegation of audit review rights be + performed with caution. @@ -640,9 +661,10 @@ trailer,133 &prompt.root; praudit /dev/auditpipe By default, audit pipe device nodes are accessible only to - the root user. To make them accessible - to the members of the audit group, add - a devfs rule to + the root user. To + make them accessible to the members of the + audit group, add a + devfs rule to devfs.rules: add path 'auditpipe*' mode 0440 group audit