Date: Sat, 29 Mar 2014 18:19:05 +0200 From: Taras Korenko <ds@ukrhub.net> To: freebsd-doc@freebsd.org Subject: en/handbook/audit: proposed corrections Message-ID: <20140329161905.GB92398@gamma.ukrhub.net>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Good day, doc@ folks.
There're a few things that could be improved within audit chapter of our
handbook. However, those are just notes, which might require more polishing
or wordsmithing. So, can anyone review and/or comment the following *.diff?
Thanks.
--
WBR, Taras Korenko
[-- Attachment #2 --]
Index: en_US.ISO8859-1/books/handbook/audit/chapter.xml
===================================================================
--- en_US.ISO8859-1/books/handbook/audit/chapter.xml (revision 44380)
+++ en_US.ISO8859-1/books/handbook/audit/chapter.xml (working copy)
@@ -196,8 +196,10 @@
<title>Audit Configuration</title>
<para>User space support for event auditing is installed as part
- of the base &os; operating system. Kernel support can be
- enabled by adding the following line to
+ of the base &os; operating system. Kernel support is available
+ in <filename>GENERIC</filename> kernel by default,
+ an &man.auditd.8; can be enabled
+ by adding the following line to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>auditd_enable="YES"</programlisting>
@@ -217,10 +219,7 @@
<para>Selection expressions are used in a number of places in
the audit configuration to determine which events should be
audited. Expressions contain a list of event classes to
- match, each with a prefix indicating whether matching records
- should be accepted or ignored, and optionally to indicate if
- the entry is intended to match successful or failed
- operations. Selection expressions are evaluated from left to
+ match. Selection expressions are evaluated from left to
right, and two expressions are combined by appending one onto
the other.</para>
@@ -383,10 +382,9 @@
</table>
<para>These audit event classes may be customized by modifying
- the <filename>audit_class</filename> and <filename>audit_
- event</filename> configuration files.</para>
+ the <filename>audit_class</filename> and <filename>audit_event</filename> configuration files.</para>
- <para>Each audit event class is combined with a prefix
+ <para>Each audit event class may be combined with a prefix
indicating whether successful/failed operations are matched,
and whether the entry is adding or removing matching for the
class and type. <xref linkend="event-prefixes"/> summarizes
@@ -650,8 +648,8 @@
<para>Since audit logs may be very large, a subset of records can
be selected using <command>auditreduce</command>. This example
selects all audit records produced for the user
- <replaceable>trhodes</replaceable> stored in
- <replaceable>AUDITFILE</replaceable>:</para>
+ <systemitem class="username">trhodes</systemitem> stored in
+ <filename>AUDITFILE</filename>:</para>
<screen>&prompt.root; <userinput>auditreduce -u <replaceable>trhodes</replaceable> /var/audit/<replaceable>AUDITFILE</replaceable> | praudit</userinput></screen>
@@ -739,8 +737,8 @@
<para>Automatic rotation of the audit trail file based on file
size is possible using <option>filesz</option> in
- <filename>audit.control</filename> as described in <xref
- linkend="audit-config"/>.</para>
+ <filename>audit_control</filename> as described in <xref
+ linkend="audit-auditcontrol"/>.</para>
<para>As audit trail files can become very large, it is often
desirable to compress or otherwise archive trails once they
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140329161905.GB92398>