From owner-freebsd-doc@FreeBSD.ORG Sat Mar 29 16:27:02 2014 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D4950DB2 for ; Sat, 29 Mar 2014 16:27:02 +0000 (UTC) Received: from boomer.ukrhub.net (boomer.ukrhub.net [94.125.121.14]) by mx1.freebsd.org (Postfix) with ESMTP id 56DD01E6 for ; Sat, 29 Mar 2014 16:27:01 +0000 (UTC) Received: by boomer.ukrhub.net (Postfix, from userid 58) id E7B8424DC21; Sat, 29 Mar 2014 18:19:19 +0200 (EET) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on boomer.ukrhub.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.1 Received: from gamma.ukrhub.net (unknown [10.100.1.91]) by boomer.ukrhub.net (Postfix) with ESMTP id 6CABC24DC1E for ; Sat, 29 Mar 2014 18:19:11 +0200 (EET) Received: from gamma.ukrhub.net (localhost [127.0.0.1]) by gamma.ukrhub.net (8.14.7/8.14.7) with ESMTP id s2TGJBRN095799 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 29 Mar 2014 18:19:11 +0200 (EET) (envelope-from ds@ukrhub.net) Received: (from ds@localhost) by gamma.ukrhub.net (8.14.7/8.14.7/Submit) id s2TGJB8D095798 for freebsd-doc@freebsd.org; Sat, 29 Mar 2014 18:19:11 +0200 (EET) (envelope-from ds@ukrhub.net) Date: Sat, 29 Mar 2014 18:19:05 +0200 From: Taras Korenko To: freebsd-doc@freebsd.org Subject: en/handbook/audit: proposed corrections Message-ID: <20140329161905.GB92398@gamma.ukrhub.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Taras Korenko List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 16:27:03 -0000 --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Good day, doc@ folks. There're a few things that could be improved within audit chapter of our handbook. However, those are just notes, which might require more polishing or wordsmithing. So, can anyone review and/or comment the following *.diff? Thanks. -- WBR, Taras Korenko --gKMricLos+KVdGMg Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="00.en.hb.audit.diff" Index: en_US.ISO8859-1/books/handbook/audit/chapter.xml =================================================================== --- en_US.ISO8859-1/books/handbook/audit/chapter.xml (revision 44380) +++ en_US.ISO8859-1/books/handbook/audit/chapter.xml (working copy) @@ -196,8 +196,10 @@ Audit Configuration User space support for event auditing is installed as part - of the base &os; operating system. Kernel support can be - enabled by adding the following line to + of the base &os; operating system. Kernel support is available + in GENERIC kernel by default, + an &man.auditd.8; can be enabled + by adding the following line to /etc/rc.conf: auditd_enable="YES" @@ -217,10 +219,7 @@ Selection expressions are used in a number of places in the audit configuration to determine which events should be audited. Expressions contain a list of event classes to - match, each with a prefix indicating whether matching records - should be accepted or ignored, and optionally to indicate if - the entry is intended to match successful or failed - operations. Selection expressions are evaluated from left to + match. Selection expressions are evaluated from left to right, and two expressions are combined by appending one onto the other. @@ -383,10 +382,9 @@ These audit event classes may be customized by modifying - the audit_class and audit_ - event configuration files. + the audit_class and audit_event configuration files. - Each audit event class is combined with a prefix + Each audit event class may be combined with a prefix indicating whether successful/failed operations are matched, and whether the entry is adding or removing matching for the class and type. summarizes @@ -650,8 +648,8 @@ Since audit logs may be very large, a subset of records can be selected using auditreduce. This example selects all audit records produced for the user - trhodes stored in - AUDITFILE: + trhodes stored in + AUDITFILE: &prompt.root; auditreduce -u trhodes /var/audit/AUDITFILE | praudit @@ -739,8 +737,8 @@ Automatic rotation of the audit trail file based on file size is possible using in - audit.control as described in . + audit_control as described in . As audit trail files can become very large, it is often desirable to compress or otherwise archive trails once they --gKMricLos+KVdGMg--