Date: Mon, 31 Mar 2014 06:28:41 -0700 (PDT) From: Dru Lavigne <dru.lavigne@att.net> To: Taras Korenko <ds@ukrhub.net>, "freebsd-doc@freebsd.org" <freebsd-doc@freebsd.org> Subject: Re: en/handbook/audit: proposed corrections Message-ID: <1396272521.45856.YahooMailNeo@web184906.mail.gq1.yahoo.com> In-Reply-To: <20140329161905.GB92398@gamma.ukrhub.net> References: <20140329161905.GB92398@gamma.ukrhub.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
_______________________________
> From: Taras Korenko <ds@ukrhub.net>
>To: freebsd-doc@freebsd.org
>Sent: Saturday, March 29, 2014 12:19 PM
>Subject: en/handbook/audit: proposed corrections
>
>
> Good day, doc@ folks.
>
> There're a few things that could be improved within audit chapter of our
>handbook. However, those are just notes, which might require more polishing
>or wordsmithing. So, can anyone review and/or comment the following *.diff?
Thanks, Taras.
A slightly modified patch is attached. If it is acceptable to you, I can commit it.
Cheers,
Dru
[-- Attachment #2 --]
Index: chapter.xml
===================================================================
--- chapter.xml (revision 44393)
+++ chapter.xml (working copy)
@@ -196,8 +196,10 @@
<title>Audit Configuration</title>
<para>User space support for event auditing is installed as part
- of the base &os; operating system. Kernel support can be
- enabled by adding the following line to
+ of the base &os; operating system. Kernel support is available
+ in the <filename>GENERIC</filename> kernel by default,
+ and &man.auditd.8; can be enabled
+ by adding the following line to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>auditd_enable="YES"</programlisting>
@@ -217,10 +219,7 @@
<para>Selection expressions are used in a number of places in
the audit configuration to determine which events should be
audited. Expressions contain a list of event classes to
- match, each with a prefix indicating whether matching records
- should be accepted or ignored, and optionally to indicate if
- the entry is intended to match successful or failed
- operations. Selection expressions are evaluated from left to
+ match. Selection expressions are evaluated from left to
right, and two expressions are combined by appending one onto
the other.</para>
@@ -383,10 +382,10 @@
</table>
<para>These audit event classes may be customized by modifying
- the <filename>audit_class</filename> and <filename>audit_
- event</filename> configuration files.</para>
+ the <filename>audit_class</filename> and
+ <filename>audit_event</filename> configuration files.</para>
- <para>Each audit event class is combined with a prefix
+ <para>Each audit event class may be combined with a prefix
indicating whether successful/failed operations are matched,
and whether the entry is adding or removing matching for the
class and type. <xref linkend="event-prefixes"/> summarizes
@@ -650,8 +649,8 @@
<para>Since audit logs may be very large, a subset of records can
be selected using <command>auditreduce</command>. This example
selects all audit records produced for the user
- <replaceable>trhodes</replaceable> stored in
- <replaceable>AUDITFILE</replaceable>:</para>
+ <systemitem class="username">trhodes</systemitem> stored in
+ <filename>AUDITFILE</filename>:</para>
<screen>&prompt.root; <userinput>auditreduce -u <replaceable>trhodes</replaceable> /var/audit/<replaceable>AUDITFILE</replaceable> | praudit</userinput></screen>
@@ -739,8 +738,8 @@
<para>Automatic rotation of the audit trail file based on file
size is possible using <option>filesz</option> in
- <filename>audit.control</filename> as described in <xref
- linkend="audit-config"/>.</para>
+ <filename>audit_control</filename> as described in <xref
+ linkend="audit-auditcontrol"/>.</para>
<para>As audit trail files can become very large, it is often
desirable to compress or otherwise archive trails once they
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1396272521.45856.YahooMailNeo>