From owner-svn-doc-projects@FreeBSD.ORG Fri May 10 11:55:41 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 56132F6D; Fri, 10 May 2013 11:55:41 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 47926341; Fri, 10 May 2013 11:55:41 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4ABtfZG053743; Fri, 10 May 2013 11:55:41 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4ABtfO6053742; Fri, 10 May 2013 11:55:41 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201305101155.r4ABtfO6053742@svn.freebsd.org> From: Dru Lavigne Date: Fri, 10 May 2013 11:55:41 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41589 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 May 2013 11:55:41 -0000 Author: dru Date: Fri May 10 11:55:40 2013 New Revision: 41589 URL: http://svnweb.freebsd.org/changeset/doc/41589 Log: White space fix only. Translators can ignore. Approved by: bcr (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Fri May 10 11:40:22 2013 (r41588) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Fri May 10 11:55:40 2013 (r41589) @@ -60,8 +60,8 @@ requirements. --> - How to configure Event Auditing on &os; for users - and processes. + How to configure Event Auditing on &os; for users and + processes. @@ -85,8 +85,8 @@ requirements. --> - Have some familiarity with security and how it - pertains to &os; (). + Have some familiarity with security and how it pertains + to &os; (). @@ -104,9 +104,9 @@ requirements. --> Administrators should take into account disk space requirements associated with high volume audit configurations. For example, it may be desirable to dedicate a file system to - the /var/audit tree so that other file - systems are not affected if the audit file system becomes - full. + the /var/audit tree + so that other file systems are not affected if the audit file + system becomes full. @@ -133,9 +133,9 @@ requirements. --> class: Event classes are named sets of related events, and are used in selection expressions. - Commonly used classes of events include - file creation (fc), exec (ex) - and login_logout (lo). + Commonly used classes of events include file + creation (fc), exec (ex) and + login_logout (lo). @@ -199,8 +199,8 @@ requirements. --> options AUDIT Rebuild and reinstall - the kernel via the normal process explained in - . + the kernel via the normal process explained in . Once an audit-enabled kernel is built, installed, and the system has been rebooted, enable the audit daemon by adding the @@ -249,10 +249,10 @@ requirements. --> audit_warn - A customizable shell - script used by &man.auditd.8; to generate - warning messages in exceptional situations, such as when - space for audit records is running low or when the audit - trail file has been rotated. + script used by &man.auditd.8; to generate warning messages + in exceptional situations, such as when space for audit + records is running low or when the audit trail file has + been rotated. @@ -400,8 +400,8 @@ requirements. --> These audit event classes may be customized by modifying - the audit_class and - audit_event configuration files. + the audit_class and audit_ + event configuration files. Each audit class in the list is combined with a prefix indicating whether successful/failed operations are matched, @@ -451,11 +451,10 @@ requirements. --> Configuration Files In most cases, administrators will need to modify only two - files when configuring the audit system: - audit_control and - audit_user. The first controls - system-wide audit properties and policies; the second may be - used to fine-tune auditing by user. + files when configuring the audit system: audit_ + control and audit_user. + The first controls system-wide audit properties and policies; + the second may be used to fine-tune auditing by user. The <filename>audit_control</filename> File @@ -489,9 +488,9 @@ filesz:0 will be generated. The above example sets the minimum free space to twenty percent. - The specifies audit - classes to be audited for non-attributed events, such as the - login process and system daemons. + The specifies audit classes + to be audited for non-attributed events, such as the login + process and system daemons. The entry specifies a comma-separated list of policy flags controlling various @@ -517,13 +516,12 @@ filesz:0 The administrator can specify further audit requirements for specific users in audit_user. - Each line configures auditing for a user - via two fields: the first is the - alwaysaudit field, which specifies a set - of events that should always be audited for the user, and - the second is the neveraudit field, which - specifies a set of events that should never be audited for - the user. + Each line configures auditing for a user via two fields: + the first is the alwaysaudit field, + which specifies a set of events that should always be + audited for the user, and the second is the + neveraudit field, which specifies a set + of events that should never be audited for the user. The following example audit_user audits login/logout events and successful command @@ -552,15 +550,13 @@ www:fc,+ex:no &man.praudit.1; command converts trail files to a simple text format; the &man.auditreduce.1; command may be used to reduce the audit trail file for analysis, archiving, or printing - purposes. A variety of selection - parameters are supported by &man.auditreduce.1;, - including event type, event class, + purposes. A variety of selection parameters are supported by + &man.auditreduce.1;, including event type, event class, user, date or time of the event, and the file path or object acted on. - For example, &man.praudit.1; will - dump the entire contents of a specified audit log in plain - text: + For example, &man.praudit.1; will dump the entire + contents of a specified audit log in plain text: &prompt.root; praudit /var/audit/AUDITFILE @@ -569,11 +565,11 @@ www:fc,+ex:no the audit log to dump. Audit trails consist of a series of audit records made up - of tokens, which &man.praudit.1; prints - sequentially one per line. Each token is of a specific type, - such as header holding an audit record - header, or path holding a file path from a - name lookup. The following is an example of an + of tokens, which &man.praudit.1; prints sequentially one per + line. Each token is of a specific type, such as + header holding an audit record header, or + path holding a file path from a name + lookup. The following is an example of an execve event: header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec @@ -606,8 +602,7 @@ trailer,133 concludes the record. XML output format is also supported by - &man.praudit.1;, - and can be selected using + &man.praudit.1;, and can be selected using . @@ -629,10 +624,10 @@ trailer,133 Delegating Audit Review Rights Members of the audit group are - given permission to read audit trails in - /var/audit; by default, this group is - empty, so only the root user may read - audit trails. Users may be added to the + given permission to read audit trails in /var/audit; by default, this + group is empty, so only the root user + may read audit trails. Users may be added to the audit group in order to delegate audit review rights to the user. As the ability to track audit log contents provides significant insight into the behavior of @@ -674,9 +669,9 @@ trailer,133 SSH session, then a continuous stream of audit events will be generated at a high rate, as each event being printed will generate another event. It is advisable to run - &man.praudit.1; on an audit pipe device from - sessions without fine-grained I/O auditing in order to avoid - this happening. + &man.praudit.1; on an audit pipe device from sessions + without fine-grained I/O auditing in order to avoid this + happening. @@ -684,24 +679,23 @@ trailer,133 Rotating Audit Trail Files Audit trails are written to only by the kernel, and - managed only by the audit daemon, - &man.auditd.8;. Administrators should not - attempt to use &man.newsyslog.conf.5; or other tools to - directly rotate audit logs. Instead, the - &man.audit.8; management tool may be used to shut - down auditing, reconfigure the audit system, and perform log - rotation. The following command causes the audit daemon to - create a new audit log and signal the kernel to switch to - using the new log. The old log will be terminated and - renamed, at which point it may then be manipulated by the - administrator. + managed only by the audit daemon, &man.auditd.8;. + Administrators should not attempt to use + &man.newsyslog.conf.5; or other tools to directly rotate + audit logs. Instead, the &man.audit.8; management tool may + be used to shut down auditing, reconfigure the audit system, + and perform log rotation. The following command causes the + audit daemon to create a new audit log and signal the kernel + to switch to using the new log. The old log will be + terminated and renamed, at which point it may then be + manipulated by the administrator. &prompt.root; audit -n - If &man.auditd.8; is not - currently running, this command will fail and an error - message will be produced. + If &man.auditd.8; is not currently running, this + command will fail and an error message will be + produced. Adding the following line to @@ -710,8 +704,8 @@ trailer,133 0 */12 * * * root /usr/sbin/audit -n - The change will take effect once you have saved the - new /etc/crontab. + The change will take effect once you have saved the new + /etc/crontab. Automatic rotation of the audit trail file based on file size is possible using in