Small corrections to audit chapter.
Submitted by: Taras Korenko Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
e69f29a66d
commit
2dee9039e5
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44395
1 changed files with 12 additions and 13 deletions
|
|
@ -196,8 +196,10 @@ requirements. -->
|
|||
<title>Audit Configuration</title>
|
||||
|
||||
<para>User space support for event auditing is installed as part
|
||||
of the base &os; operating system. Kernel support can be
|
||||
enabled by adding the following line to
|
||||
of the base &os; operating system. Kernel support is available
|
||||
in the <filename>GENERIC</filename> kernel by default,
|
||||
and &man.auditd.8; can be enabled
|
||||
by adding the following line to
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>auditd_enable="YES"</programlisting>
|
||||
|
|
@ -217,10 +219,7 @@ requirements. -->
|
|||
<para>Selection expressions are used in a number of places in
|
||||
the audit configuration to determine which events should be
|
||||
audited. Expressions contain a list of event classes to
|
||||
match, each with a prefix indicating whether matching records
|
||||
should be accepted or ignored, and optionally to indicate if
|
||||
the entry is intended to match successful or failed
|
||||
operations. Selection expressions are evaluated from left to
|
||||
match. Selection expressions are evaluated from left to
|
||||
right, and two expressions are combined by appending one onto
|
||||
the other.</para>
|
||||
|
||||
|
|
@ -383,10 +382,10 @@ requirements. -->
|
|||
</table>
|
||||
|
||||
<para>These audit event classes may be customized by modifying
|
||||
the <filename>audit_class</filename> and <filename>audit_
|
||||
event</filename> configuration files.</para>
|
||||
the <filename>audit_class</filename> and
|
||||
<filename>audit_event</filename> configuration files.</para>
|
||||
|
||||
<para>Each audit event class is combined with a prefix
|
||||
<para>Each audit event class may be combined with a prefix
|
||||
indicating whether successful/failed operations are matched,
|
||||
and whether the entry is adding or removing matching for the
|
||||
class and type. <xref linkend="event-prefixes"/> summarizes
|
||||
|
|
@ -650,8 +649,8 @@ trailer,133</programlisting>
|
|||
<para>Since audit logs may be very large, a subset of records can
|
||||
be selected using <command>auditreduce</command>. This example
|
||||
selects all audit records produced for the user
|
||||
<replaceable>trhodes</replaceable> stored in
|
||||
<replaceable>AUDITFILE</replaceable>:</para>
|
||||
<systemitem class="username">trhodes</systemitem> stored in
|
||||
<filename>AUDITFILE</filename>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>auditreduce -u <replaceable>trhodes</replaceable> /var/audit/<replaceable>AUDITFILE</replaceable> | praudit</userinput></screen>
|
||||
|
||||
|
|
@ -739,8 +738,8 @@ trailer,133</programlisting>
|
|||
|
||||
<para>Automatic rotation of the audit trail file based on file
|
||||
size is possible using <option>filesz</option> in
|
||||
<filename>audit.control</filename> as described in <xref
|
||||
linkend="audit-config"/>.</para>
|
||||
<filename>audit_control</filename> as described in <xref
|
||||
linkend="audit-auditcontrol"/>.</para>
|
||||
|
||||
<para>As audit trail files can become very large, it is often
|
||||
desirable to compress or otherwise archive trails once they
|
||||
|
|
|
|||
Loading…
Reference in a new issue