Further adjustments to handbook audit chapter:
- Further clarify nature of composition of audit_control flags and audit_user. - Add missing </para> before auditpipe configuration example. - Mark up usernames as <literal>. Obtained from: TrustedBSD Project
This commit is contained in:
Robert Watson
parent
6555841abf
commit
48459b7047
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=28722
1 changed files with 11 additions and 10 deletions
|
|
@ -263,9 +263,7 @@ requirements. -->
|
|||
or ignored, and optionally to indicate if the entry is intended
|
||||
to match successful or failed operations. Selection expressions
|
||||
are evaluated from left to right, and two expressions are
|
||||
combined by appending on onto the other. For example, per-user
|
||||
expressions are appended to global expressions to generate the
|
||||
effective preselection mask for a user at login.</para>
|
||||
combined by appending one onto the other.</para>
|
||||
|
||||
<para>The following list contains the default audit event classes
|
||||
present in <filename>audit_class</filename>:</para>
|
||||
|
|
@ -480,18 +478,21 @@ naflags:lo</programlisting>
|
|||
<para>The <filename>audit_user</filename> file permits the
|
||||
administrator to specify further audit requirements for specific
|
||||
users.
|
||||
There is one line per user, along with a selection expression
|
||||
which will be combined with the global <option>flags</option>.
|
||||
</para>
|
||||
Each line configures auditing for a user via two fields: the
|
||||
first is the <literal>alwaysaudit</literal> field, which specifies
|
||||
a set of events that should always be audited for the user, and
|
||||
the second is the <literal>neveraudit</literal> field, which
|
||||
specifies a set of events that should never be audited for the
|
||||
user.</para>
|
||||
|
||||
<para>The following example <filename>audit_user</filename> file
|
||||
audits login/logout events and successful command execution for
|
||||
the root user, and audits file creation and successful command
|
||||
execution for the www user.
|
||||
If used with the example <filename>audit_control</filename> file
|
||||
above, the <literal>lo</literal> entry for root is redundant,
|
||||
and login/logout events will also be audited for the www user.
|
||||
</para>
|
||||
above, the <literal>lo</literal> entry for <literal>root</literal>
|
||||
is redundant, and login/logout events will also be audited for the
|
||||
<literal>www</literal> user.</para>
|
||||
|
||||
<programlisting>root:lo,+ex:no
|
||||
www:fc,+ex:no</programlisting>
|
||||
|
|
@ -589,7 +590,7 @@ trailer,133</programlisting>
|
|||
<para>By default, audit pipe device nodes are accessible only to the
|
||||
root user. To make them accessible to the members of the
|
||||
<literal>audit</literal> group, add a <literal>devfs</literal> rule
|
||||
to <filename>devfs.rules</filename>:
|
||||
to <filename>devfs.rules</filename>:</para>
|
||||
|
||||
<programlisting>add path 'auditpipe*' mode 0440 group audit</programlisting>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue