Whitespace-only fixes. Translators, please ignore.

svn path=/head/; revision=39825
2012-10-28 00:58:36 +00:00 · 2012-10-28 00:58:36 +00:00 · 94bfe9a16b · 2020-12-08 03:00:23 +00:00
commit 94bfe9a16b
parent c0ce3355ee
1 changed files with 329 additions and 296 deletions
--- a/en_US.ISO8859-1/books/handbook/audit/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/audit/chapter.xml
@ -44,12 +44,13 @@ requirements. -->
      changes, and file and network access.  These log records can be
      invaluable for live system monitoring, intrusion detection, and
      postmortem analysis.  &os; implements &sun;'s published
-      <acronym>BSM</acronym> API and file format, and is interoperable with
+      <acronym>BSM</acronym> API and file format, and is interoperable
-      both &sun;'s &solaris; and &apple;'s &macos; X audit implementations.</para>
+      with both &sun;'s &solaris; and &apple;'s &macos; X audit
      implementations.</para>
-    <para>This chapter focuses on the installation and configuration of
+    <para>This chapter focuses on the installation and configuration
-      Event Auditing.  It explains audit policies, and provides an example
+      of Event Auditing.  It explains audit policies, and provides an
-      audit configuration.</para>
+      example audit configuration.</para>
    <para>After reading this chapter, you will know:</para>
@ -64,8 +65,8 @@ requirements. -->
      </listitem>
      <listitem>
-	<para>How to review the audit trail using the audit reduction and
+	<para>How to review the audit trail using the audit reduction
-	  review tools.</para>
+	  and review tools.</para>
      </listitem>
    </itemizedlist>
@ -90,59 +91,60 @@ requirements. -->
    </itemizedlist>
    <warning>
-      <para>The audit facility has some known limitations which include
+      <para>The audit facility has some known limitations which
-	that not all security-relevant system events are currently auditable,
+	include that not all security-relevant system events are
-	and that some login mechanisms, such as X11-based display managers
+	currently auditable, and that some login mechanisms, such as
-	and third party daemons, do not properly configure auditing for user
+	X11-based display managers and third party daemons, do not
-	login sessions.</para>
+	properly configure auditing for user login sessions.</para>
-      <para>The security event auditing facility is able to generate very
+      <para>The security event auditing facility is able to generate
-	detailed logs of system activity: on a busy system, trail file
+	very detailed logs of system activity: on a busy system, trail
-	data can be very large when configured for high detail, exceeding
+	file data can be very large when configured for high detail,
-	gigabytes a week in some configurations.  Administrators should take
+	exceeding gigabytes a week in some configurations.
-	into account disk space requirements associated with high volume
+	Administrators should take into account disk space
-	audit configurations.  For example, it may be desirable to dedicate
+	requirements associated with high volume audit configurations.
-	a file system to the <filename>/var/audit</filename> tree so that
+	For example, it may be desirable to dedicate a file system to
-	other file systems are not affected if the audit file system becomes
+	the <filename>/var/audit</filename> tree so that other file
 	systems are not affected if the audit file system becomes
 	full.</para>
    </warning>
  </sect1>
  <sect1 id="audit-inline-glossary">
    <title>Key Terms in This Chapter</title>
-    <para>Before reading this chapter, a few key audit-related terms must be
+    <para>Before reading this chapter, a few key audit-related terms
-      explained:</para>
+      must be explained:</para>
    <itemizedlist>
      <listitem>
-	<para><emphasis>event</emphasis>: An auditable event is any event
+	<para><emphasis>event</emphasis>: An auditable event is any
-	  that can be logged using the audit subsystem.
+	  event that can be logged using the audit subsystem.
 	  Examples of security-relevant events include the creation of
-	  a file, the building of a network connection, or a user logging in.
+	  a file, the building of a network connection, or a user
-	  Events are either <quote>attributable</quote>,
+	  logging in.  Events are either <quote>attributable</quote>,
 	  meaning that they can be traced to an authenticated user, or
-	  <quote>non-attributable</quote> if they cannot be.
+	  <quote>non-attributable</quote> if they cannot be.  Examples
-	  Examples of non-attributable events are any events that occur
+	  of non-attributable events are any events that occur before
-	  before authentication in the login process, such as bad password
+	  authentication in the login process, such as bad password
 	  attempts.</para>
      </listitem>
      <listitem>
-        <para><emphasis>class</emphasis>: Event classes are named sets of
+	<para><emphasis>class</emphasis>: Event classes are named sets
-	  related events, and are used in selection expressions.  Commonly
+	  of related events, and are used in selection expressions.
-	  used classes of events include <quote>file creation</quote> (fc),
+	  Commonly used classes of events include
-	  <quote>exec</quote> (ex) and <quote>login_logout</quote>
+	  <quote>file creation</quote> (fc), <quote>exec</quote> (ex)
-	  (lo).</para>
+	  and <quote>login_logout</quote> (lo).</para>
      </listitem>
      <listitem>
-	<para><emphasis>record</emphasis>: A record is an audit log entry
+	<para><emphasis>record</emphasis>: A record is an audit log
-	  describing a security event.  Records contain a record event type,
+	  entry describing a security event.  Records contain a record
-	  information on the subject (user) performing the action,
+	  event type, information on the subject (user) performing the
-	  date and time information, information on any objects or
+	  action, date and time information, information on any
-	  arguments, and a success or failure condition.</para>
+	  objects or arguments, and a success or failure
 	  condition.</para>
      </listitem>
      <listitem>
@ -156,30 +158,31 @@ requirements. -->
      <listitem>
 	<para><emphasis>selection expression</emphasis>: A selection
-	  expression is a string containing a list of prefixes and audit
+	  expression is a string containing a list of prefixes and
-	  event class names used to match events.</para>
+	  audit event class names used to match events.</para>
      </listitem>
      <listitem>
-	<para><emphasis>preselection</emphasis>: The process by which the
+	<para><emphasis>preselection</emphasis>: The process by which
-	  system identifies which events are of interest to the administrator
+	  the system identifies which events are of interest to the
-	  in order to avoid generating audit records describing events that
+	  administrator in order to avoid generating audit records
-	  are not of interest.  The preselection configuration
+	  describing events that are not of interest.  The
-	  uses a series of selection expressions to identify which classes
+	  preselection configuration uses a series of selection
-	  of events to audit for which users, as well as global settings
+	  expressions to identify which classes of events to audit for
-	  that apply to both authenticated and unauthenticated
+	  which users, as well as global settings that apply to both
-	  processes.</para>
+	  authenticated and unauthenticated processes.</para>
      </listitem>
      <listitem>
-	<para><emphasis>reduction</emphasis>: The process by which records
+	<para><emphasis>reduction</emphasis>: The process by which
-	  from existing audit trails are selected for preservation, printing,
+	  records from existing audit trails are selected for
-	  or analysis.  Likewise, the process by which undesired audit
+	  preservation, printing, or analysis.  Likewise, the process
-	  records are removed from the audit trail.  Using reduction,
+	  by which undesired audit records are removed from the audit
-	  administrators can implement policies for the preservation of audit
+	  trail.  Using reduction, administrators can implement
-	  data.  For example, detailed audit trails might be kept for one
+	  policies for the preservation of audit data.  For example,
-	  month, but after that, trails might be reduced in order to preserve
+	  detailed audit trails might be kept for one month, but after
-	  only login information for archival purposes.</para>
+	  that, trails might be reduced in order to preserve only
 	  login information for archival purposes.</para>
      </listitem>
    </itemizedlist>
  </sect1>
@ -187,11 +190,11 @@ requirements. -->
  <sect1 id="audit-install">
    <title>Installing Audit Support</title>
-    <para>User space support for Event Auditing is installed as part of the
+    <para>User space support for Event Auditing is installed as part
-      base &os; operating system.  Kernel support for
+      of the base &os; operating system.  Kernel support for Event
-      Event Auditing is compiled in by default, but support for this
+      Auditing is compiled in by default, but support for this feature
-      feature must be explicitly compiled into the custom kernel by adding
+      must be explicitly compiled into the custom kernel by adding the
-      the following line to the kernel configuration file:</para>
+      following line to the kernel configuration file:</para>
    <programlisting>options	AUDIT</programlisting>
@ -199,14 +202,14 @@ requirements. -->
      the kernel via the normal process explained in
      <xref linkend="kernelconfig"/>.</para>
-    <para>Once an audit-enabled kernel is built, installed, and the system
+    <para>Once an audit-enabled kernel is built, installed, and the
-      has been rebooted, enable the audit daemon by adding the following line
+      system has been rebooted, enable the audit daemon by adding the
-      to &man.rc.conf.5;:</para>
+      following line to &man.rc.conf.5;:</para>
    <programlisting>auditd_enable="YES"</programlisting>
-    <para>Audit support must then be started by a reboot, or by manually
+    <para>Audit support must then be started by a reboot, or by
-      starting the audit daemon:</para>
+      manually starting the audit daemon:</para>
    <programlisting>/etc/rc.d/auditd start</programlisting>
  </sect1>
@ -215,8 +218,9 @@ requirements. -->
    <title>Audit Configuration</title>
    <para>All configuration files for security audit are found in
-      <filename class="directory">/etc/security</filename>.  The following
+      <filename class="directory">/etc/security</filename>.  The
-      files must be present before the audit daemon is started:</para>
+      following files must be present before the audit daemon is
      started:</para>
    <itemizedlist>
      <listitem>
@ -233,8 +237,8 @@ requirements. -->
      <listitem>
 	<para><filename>audit_event</filename> - Textual names and
-	  descriptions of system audit events, as well as a list of which
+	  descriptions of system audit events, as well as a list of
-	  classes each event is in.</para>
+	  which classes each event is in.</para>
      </listitem>
      <listitem>
@ -244,10 +248,11 @@ requirements. -->
      </listitem>
      <listitem>
-	<para><filename>audit_warn</filename> - A customizable shell script
+	<para><filename>audit_warn</filename> - A customizable shell
-	  used by <application>auditd</application> to generate warning messages in exceptional
+	  script used by <application>auditd</application> to generate
-	  situations, such as when space for audit records is running low or
+	  warning messages in exceptional situations, such as when
-	  when the audit trail file has been rotated.</para>
+	  space for audit records is running low or when the audit
 	  trail file has been rotated.</para>
      </listitem>
    </itemizedlist>
@ -260,70 +265,76 @@ requirements. -->
    <sect2>
      <title>Event Selection Expressions</title>
-      <para>Selection expressions are used in a number of places in the
+      <para>Selection expressions are used in a number of places in
-	audit configuration to determine which events should be audited.
+	the audit configuration to determine which events should be
-	Expressions contain a list of event classes to match, each with
+	audited. Expressions contain a list of event classes to match,
-	a prefix indicating whether matching records should be accepted
+	each with a prefix indicating whether matching records should
-	or ignored, and optionally to indicate if the entry is intended
+	be accepted or ignored, and optionally to indicate if the
-	to match successful or failed operations.  Selection expressions
+	entry is intended to match successful or failed operations.
-	are evaluated from left to right, and two expressions are
+	Selection expressions are evaluated from left to right, and
-	combined by appending one onto the other.</para>
+	two expressions are combined by appending one onto the
 	other.</para>
-      <para>The following list contains the default audit event classes
+      <para>The following list contains the default audit event
-	present in <filename>audit_class</filename>:</para>
+	classes present in <filename>audit_class</filename>:</para>
      <itemizedlist>
 	<listitem>
-	  <para><literal>all</literal> - <emphasis>all</emphasis> - Match all
+	  <para><literal>all</literal> - <emphasis>all</emphasis> -
-	    event classes.</para>
+	    Match all event classes.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>ad</literal> - <emphasis>administrative</emphasis>
+	  <para><literal>ad</literal> -
-	    - Administrative actions performed on the system as a
+	    <emphasis>administrative</emphasis> - Administrative
-	    whole.</para>
+	    actions performed on the system as a whole.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>ap</literal> - <emphasis>application</emphasis> -
+	  <para><literal>ap</literal> -
-	    Application defined action.</para>
+	    <emphasis>application</emphasis> - Application defined
 	    action.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>cl</literal> - <emphasis>file close</emphasis> -
+	  <para><literal>cl</literal> -
-	    Audit calls to the <function>close</function> system
+	    <emphasis>file close</emphasis> - Audit calls to the
-	    call.</para>
+	    <function>close</function> system call.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>ex</literal> - <emphasis>exec</emphasis> - Audit
+	  <para><literal>ex</literal> - <emphasis>exec</emphasis> -
-	    program execution.  Auditing of command line arguments and
+	    Audit program execution.  Auditing of command line
-	    environmental variables is controlled via &man.audit.control.5;
+	    arguments and environmental variables is controlled via
-	    using the <literal>argv</literal> and <literal>envv</literal>
+	    &man.audit.control.5; using the <literal>argv</literal>
-	    parameters to the <literal>policy</literal> setting.</para>
+	    and <literal>envv</literal> parameters to the
 	    <literal>policy</literal> setting.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>fa</literal> - <emphasis>file attribute access</emphasis>
+	  <para><literal>fa</literal> -
-	    - Audit the access of object attributes such as
+	    <emphasis>file attribute access</emphasis> - Audit the
-	    &man.stat.1;, &man.pathconf.2; and similar events.</para>
+	    access of object attributes such as &man.stat.1;,
 	    &man.pathconf.2; and similar events.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>fc</literal> - <emphasis>file create</emphasis>
+	  <para><literal>fc</literal> -
-	    - Audit events where a file is created as a result.</para>
+	    <emphasis>file create</emphasis> - Audit events where a
 	    file is created as a result.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>fd</literal> - <emphasis>file delete</emphasis>
+	  <para><literal>fd</literal> -
-	    - Audit events where file deletion occurs.</para>
+	    <emphasis>file delete</emphasis> - Audit events where file
 	    deletion occurs.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>fm</literal> - <emphasis>file attribute modify</emphasis>
+	  <para><literal>fm</literal> -
-	    - Audit events where file attribute modification occurs,
+	    <emphasis>file attribute modify</emphasis> - Audit events
-	    such as &man.chown.8;, &man.chflags.1;, &man.flock.2;,
+	    where file attribute modification occurs, such as
-	    etc.</para>
+	    &man.chown.8;, &man.chflags.1;, &man.flock.2;, etc.</para>
 	</listitem>
 	<listitem>
@ -333,36 +344,40 @@ requirements. -->
 	</listitem>
 	<listitem>
-	  <para><literal>fw</literal> - <emphasis>file write</emphasis> -
+	  <para><literal>fw</literal> -
-	    Audit events in which data is written, files are written
+	    <emphasis>file write</emphasis> - Audit events in which
-	    or modified, etc.</para>
+	    data is written, files are written or modified,
 	    etc.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>io</literal> - <emphasis>ioctl</emphasis> - Audit
+	  <para><literal>io</literal> - <emphasis>ioctl</emphasis> -
-	    use of the &man.ioctl.2; system call.</para>
+	    Audit use of the &man.ioctl.2; system call.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>ip</literal> - <emphasis>ipc</emphasis> - Audit
+	  <para><literal>ip</literal> - <emphasis>ipc</emphasis> -
-	    various forms of Inter-Process Communication, including POSIX
+	    Audit various forms of Inter-Process Communication,
-	    pipes and System V <acronym>IPC</acronym> operations.</para>
+	    including POSIX pipes and System V <acronym>IPC</acronym>
 	    operations.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>lo</literal> - <emphasis>login_logout</emphasis> -
+	  <para><literal>lo</literal> -
-	    Audit &man.login.1; and &man.logout.1; events occurring
+	    <emphasis>login_logout</emphasis> - Audit &man.login.1;
-	    on the system.</para>
+	    and &man.logout.1; events occurring on the system.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>na</literal> - <emphasis>non attributable</emphasis> -
+	  <para><literal>na</literal> -
-	    Audit non-attributable events.</para>
+	    <emphasis>non attributable</emphasis> - Audit
 	    non-attributable events.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>no</literal> - <emphasis>invalid class</emphasis> -
+	  <para><literal>no</literal> -
-	    Match no audit events.</para>
+	    <emphasis>invalid class</emphasis> - Match no audit
 	    events.</para>
 	</listitem>
 	<listitem>
@ -384,19 +399,19 @@ requirements. -->
      </itemizedlist>
-      <para>These audit event classes may be customized by modifying the
+      <para>These audit event classes may be customized by modifying
-	<filename>audit_class</filename> and
+	the <filename>audit_class</filename> and
 	<filename>audit_event</filename> configuration files.</para>
      <para>Each audit class in the list is combined with a prefix
-	indicating whether successful/failed operations are matched, and
+	indicating whether successful/failed operations are matched,
-	whether the entry is adding or removing matching for the class
+	and whether the entry is adding or removing matching for the
-	and type.</para>
+	class and type.</para>
      <itemizedlist>
 	<listitem>
-	  <para>(none) Audit both successful and failed instances of the
+	  <para>(none) Audit both successful and failed instances of
-	    event.</para>
+	    the event.</para>
 	</listitem>
 	<listitem>
@ -410,45 +425,44 @@ requirements. -->
 	</listitem>
 	<listitem>
-	  <para><literal>^</literal> Audit neither successful nor failed
+	  <para><literal>^</literal> Audit neither successful nor
-	    events in this class.</para>
+	    failed events in this class.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>^+</literal> Do not audit successful events in this
+	  <para><literal>^+</literal> Do not audit successful events
-	    class.</para>
+	    in this class.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>^-</literal> Do not audit failed events in this
+	  <para><literal>^-</literal> Do not audit failed events in
-	    class.</para>
+	    this class.</para>
 	</listitem>
      </itemizedlist>
-      <para>The following example selection string selects both successful
+      <para>The following example selection string selects both
-	and failed login/logout events, but only successful execution
+	successful and failed login/logout events, but only successful
-	events:</para>
+	execution events:</para>
      <programlisting>lo,+ex</programlisting>
    </sect2>
    <sect2>
      <title>Configuration Files</title>
-      <para>In most cases, administrators will need to modify only two files
+      <para>In most cases, administrators will need to modify only two
-	when configuring the audit system: <filename>audit_control</filename>
+	files when configuring the audit system:
-	and <filename>audit_user</filename>.  The first controls system-wide
+	<filename>audit_control</filename> and
-	audit properties and policies; the second may be used to fine-tune
+	<filename>audit_user</filename>.  The first controls
-	auditing by user.</para>
+	system-wide audit properties and policies; the second may be
 	used to fine-tune auditing by user.</para>
      <sect3 id="audit-auditcontrol">
 	<title>The <filename>audit_control</filename> File</title>
-	<para>The <filename>audit_control</filename> file specifies a number
+	<para>The <filename>audit_control</filename> file specifies a
-	  of defaults for the audit subsystem.  Viewing the contents of this
+	  number of defaults for the audit subsystem.  Viewing the
-	  file, we see the following:</para>
+	  contents of this file, we see the following:</para>
 	<programlisting>dir:/var/audit
 flags:lo
@ -457,71 +471,73 @@ naflags:lo
 policy:cnt
 filesz:0</programlisting>
-	<para>The <option>dir</option> option is used to set one or more
+	<para>The <option>dir</option> option is used to set one or
-	  directories where audit logs will be stored.  If more than one
+	  more directories where audit logs will be stored.  If more
-	  directory entry appears, they will be used in order as they fill.
+	  than one directory entry appears, they will be used in order
-	  It is common to configure audit so that audit logs are stored on
+	  as they fill.  It is common to configure audit so that audit
-	  a dedicated file system, in order to prevent interference between
+	  logs are stored on a dedicated file system, in order to
-	  the audit subsystem and other subsystems if the file system fills.
+	  prevent interference between the audit subsystem and other
-	  </para>
+	  subsystems if the file system fills.</para>
-	<para>The <option>flags</option> field sets the system-wide default
+	<para>The <option>flags</option> field sets the system-wide
-	  preselection mask for attributable events.  In the example above,
+	  default preselection mask for attributable events.  In the
-	  successful and failed login and logout events are audited for all
+	  example above, successful and failed login and logout events
-	  users.</para>
+	  are audited for all users.</para>
 	<para>The <option>minfree</option> option defines the minimum
-	  percentage of free space for the file system where the audit trail
+	  percentage of free space for the file system where the audit
-	  is stored.  When this threshold is exceeded, a warning will be
+	  trail is stored.  When this threshold is exceeded, a warning
-	  generated.  The above example sets the minimum free space to
+	  will be generated.  The above example sets the minimum free
-	  twenty percent.</para>
+	  space to twenty percent.</para>
-	<para>The <option>naflags</option> option specifies audit classes to
+	<para>The <option>naflags</option> option specifies audit
-	  be audited for non-attributed events, such as the login process
+	  classes to be audited for non-attributed events, such as the
-	  and system daemons.</para>
+	  login process and system daemons.</para>
-	<para>The <option>policy</option> option specifies a comma-separated
+	<para>The <option>policy</option> option specifies a
-	  list of policy flags controlling various aspects of audit
+	  comma-separated list of policy flags controlling various
-	  behavior.  The default <literal>cnt</literal> flag indicates that
+	  aspects of audit behavior.  The default
-	  the system should continue running despite an auditing failure
+	  <literal>cnt</literal> flag indicates that the system should
-	  (this flag is highly recommended).  Another commonly used flag is
+	  continue running despite an auditing failure (this flag is
-	  <literal>argv</literal>, which causes command line arguments to
+	  highly recommended).  Another commonly used flag is
-	  the &man.execve.2; system call to be audited as part of command
+	  <literal>argv</literal>, which causes command line arguments
-	  execution.</para>
+	  to the &man.execve.2; system call to be audited as part of
 	  command execution.</para>
-	<para>The <option>filesz</option> option specifies the maximum size
+	<para>The <option>filesz</option> option specifies the maximum
-	  in bytes to allow an audit trail file to grow to before
+	  size in bytes to allow an audit trail file to grow to before
 	  automatically terminating and rotating the trail file.  The
-	  default, 0, disables automatic log rotation.  If the requested
+	  default, 0, disables automatic log rotation.  If the
-	  file size is non-zero and below the minimum 512k, it will be
+	  requested file size is non-zero and below the minimum 512k,
-	  ignored and a log message will be generated.</para>
+	  it will be ignored and a log message will be
 	  generated.</para>
      </sect3>
      <sect3 id="audit-audituser">
 	<title>The <filename>audit_user</filename> File</title>
 	<para>The <filename>audit_user</filename> file permits the
-	  administrator to specify further audit requirements for specific
+	  administrator to specify further audit requirements for
-	  users.
+	  specific users.  Each line configures auditing for a user
-	  Each line configures auditing for a user via two fields: the
+	  via two fields: the first is the
-	  first is the <literal>alwaysaudit</literal> field, which specifies
+	  <literal>alwaysaudit</literal> field, which specifies a set
-	  a set of events that should always be audited for the user, and
+	  of events that should always be audited for the user, and
 	  the second is the <literal>neveraudit</literal> field, which
-	  specifies a set of events that should never be audited for the
+	  specifies a set of events that should never be audited for
-	  user.</para>
+	  the user.</para>
-	<para>The following example <filename>audit_user</filename> file
+	<para>The following example <filename>audit_user</filename>
-	  audits login/logout events and successful command execution for
+	  file audits login/logout events and successful command
-	  the <username>root</username> user, and audits file creation and successful command
+	  execution for the <username>root</username> user, and audits
-	  execution for the <username>www</username> user.
+	  file creation and successful command execution for the
-	  If used with the example <filename>audit_control</filename> file
+	  <username>www</username> user.  If used with the example
-	  above, the <literal>lo</literal> entry for <username>root</username>
+	  <filename>audit_control</filename> file above, the
-	  is redundant, and login/logout events will also be audited for the
+	  <literal>lo</literal> entry for <username>root</username> is
-	  <username>www</username> user.</para>
+	  redundant, and login/logout events will also be audited for
 	  the <username>www</username> user.</para>
 	<programlisting>root:lo,+ex:no
 www:fc,+ex:no</programlisting>
      </sect3>
    </sect2>
  </sect1>
@ -532,29 +548,32 @@ www:fc,+ex:no</programlisting>
    <sect2>
      <title>Viewing Audit Trails</title>
-      <para>Audit trails are stored in the BSM binary format, so tools must
+      <para>Audit trails are stored in the BSM binary format, so tools
-	be used to modify or convert to text.  The &man.praudit.1;
+	must be used to modify or convert to text.  The
-	command converts trail files to a simple text format; the
+	&man.praudit.1; command converts trail files to a simple text
-	&man.auditreduce.1; command may be used to reduce the
+	format; the &man.auditreduce.1; command may be used to reduce
-	audit trail file for analysis, archiving, or printing purposes.
+	the audit trail file for analysis, archiving, or printing
-	<command>auditreduce</command> supports a variety of selection
+	purposes.  <command>auditreduce</command> supports a variety
-	parameters, including event type, event class, user, date or time of
+	of selection parameters, including event type, event class,
-	the event, and the file path or object acted on.</para>
+	user, date or time of the event, and the file path or object
 	acted on.</para>
-      <para>For example, the <command>praudit</command> utility will dump
+      <para>For example, the <command>praudit</command> utility will
-	the entire contents of a specified audit log in plain text:</para>
+	dump the entire contents of a specified audit log in plain
 	text:</para>
      <screen>&prompt.root; <userinput>praudit /var/audit/AUDITFILE</userinput></screen>
-      <para>Where <filename><replaceable>AUDITFILE</replaceable></filename> is the audit log to
+      <para>Where
-	dump.</para>
+	<filename><replaceable>AUDITFILE</replaceable></filename> is
 	the audit log to dump.</para>
-      <para>Audit trails consist of a series of audit records made up of
+      <para>Audit trails consist of a series of audit records made up
-	tokens, which <command>praudit</command> prints sequentially one per
+	of tokens, which <command>praudit</command> prints
-	line.  Each token is of a specific type, such as
+	sequentially one per line.  Each token is of a specific type,
-	<literal>header</literal> holding an audit record header, or
+	such as <literal>header</literal> holding an audit record
-	<literal>path</literal> holding a file path from a name
+	header, or <literal>path</literal> holding a file path from a
-	lookup.  The following is an example of an
+	name lookup.  The following is an example of an
 	<literal>execve</literal> event:</para>
      <programlisting>header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
@ -565,112 +584,124 @@ subject,robert,root,wheel,root,wheel,38439,38032,42086,128.232.9.100
 return,success,0
 trailer,133</programlisting>
-      <para>This audit represents a successful <literal>execve</literal>
+      <para>This audit represents a successful
-	call, in which the command <literal>finger doug</literal> has been run.  The
+	<literal>execve</literal> call, in which the command
-	arguments token contains both the processed command line presented
+	<literal>finger doug</literal> has been run.  The arguments
-	by the shell to the kernel.  The <literal>path</literal> token holds the path to the
+	token contains both the processed command line presented by
-	executable as looked up by the kernel.  The <literal>attribute</literal> token
+	the shell to the kernel.  The <literal>path</literal> token
-	describes the binary, and in particular, includes the file mode
+	holds the path to the executable as looked up by the kernel.
-	which can be used to determine if the application was setuid.
+	The <literal>attribute</literal> token describes the binary,
-	The <literal>subject</literal> token describes the subject process, and stores in
+	and in particular, includes the file mode which can be used to
-	sequence the audit user ID, effective user ID and group ID, real
+	determine if the application was setuid.  The
-	user ID and group ID, process ID, session ID, port ID, and login
+	<literal>subject</literal> token describes the subject
-	address.  Notice that the audit user ID and real user ID differ:
+	process, and stores in sequence the audit user ID, effective
-	the user <username>robert</username> has switched to the
+	user ID and group ID, real user ID and group ID, process ID,
-	<username>root</username> account before running this command, but
+	session ID, port ID, and login address.  Notice that the audit
-	it is audited using the original authenticated user.  Finally, the
+	user ID and real user ID differ: the user
-	<literal>return</literal> token indicates the successful execution, and the <literal>trailer</literal>
+	<username>robert</username> has switched to the
 	<username>root</username> account before running this command,
 	but it is audited using the original authenticated user.
 	Finally, the <literal>return</literal> token indicates the
 	successful execution, and the <literal>trailer</literal>
 	concludes the record.</para>
      <para><command>praudit</command> also supports
 	an XML output format, which can be selected using the
 	<option>-x</option> argument.</para>
    </sect2>
    <sect2>
      <title>Reducing Audit Trails</title>
      <para>Since audit logs may be very large, an administrator will
-	likely want to select a subset of records for using, such as records
+	likely want to select a subset of records for using, such as
-	associated with a specific user:</para>
+	records associated with a specific user:</para>
      <screen>&prompt.root; <userinput>auditreduce -u trhodes /var/audit/AUDITFILE | praudit</userinput></screen>
      <para>This will select all audit records produced for the user
 	<username>trhodes</username> stored in the
-	<filename><replaceable>AUDITFILE</replaceable></filename> file.</para>
+	<filename><replaceable>AUDITFILE</replaceable></filename>
 	file.</para>
    </sect2>
    <sect2>
      <title>Delegating Audit Review Rights</title>
-      <para>Members of the <groupname>audit</groupname> group are given
+      <para>Members of the <groupname>audit</groupname> group are
-	permission to read audit trails in <filename>/var/audit</filename>;
+	given permission to read audit trails in
-	by default, this group is empty, so only the <username>root</username> user may read
+	<filename>/var/audit</filename>; by default, this group is
-	audit trails.  Users may be added to the <groupname>audit</groupname>
+	empty, so only the <username>root</username> user may read
-	group in order to delegate audit review rights to the user.  As
+	audit trails.  Users may be added to the
-	the ability to track audit log contents provides significant insight
+	<groupname>audit</groupname> group in order to delegate audit
-	into the behavior of users and processes, it is recommended that the
+	review rights to the user.  As the ability to track audit log
-	delegation of audit review rights be performed with caution.</para>
+	contents provides significant insight into the behavior of
 	users and processes, it is recommended that the delegation of
 	audit review rights be performed with caution.</para>
    </sect2>
    <sect2>
      <title>Live Monitoring Using Audit Pipes</title>
-      <para>Audit pipes are cloning pseudo-devices in the device file system
+      <para>Audit pipes are cloning pseudo-devices in the device file
-	which allow applications to tap the live audit record stream.  This
+	system which allow applications to tap the live audit record
-	is primarily of interest to authors of intrusion detection and
+	stream.  This is primarily of interest to authors of intrusion
-	system monitoring applications.  However, for the administrator the
+	detection and system monitoring applications.  However, for
-	audit pipe device is a convenient way to allow live monitoring
+	the administrator the audit pipe device is a convenient way to
-	without running into problems with audit trail file ownership or
+	allow live monitoring without running into problems with audit
-	log rotation interrupting the event stream.  To track the live audit
+	trail file ownership or log rotation interrupting the event
-	event stream, use the following command line:</para>
+	stream.  To track the live audit event stream, use the
 	following command line:</para>
      <screen>&prompt.root; <userinput>praudit /dev/auditpipe</userinput></screen>
-      <para>By default, audit pipe device nodes are accessible only to the
+      <para>By default, audit pipe device nodes are accessible only to
-	<username>root</username> user.  To make them accessible to the members of the
+	the <username>root</username> user.  To make them accessible
-	<groupname>audit</groupname> group, add a <literal>devfs</literal> rule
+	to the members of the <groupname>audit</groupname> group, add
-	to <filename>devfs.rules</filename>:</para>
+	a <literal>devfs</literal> rule to
 	<filename>devfs.rules</filename>:</para>
      <programlisting>add path 'auditpipe*' mode 0440 group audit</programlisting>
-      <para>See  &man.devfs.rules.5; for more information on configuring
+      <para>See &man.devfs.rules.5; for more information on
-	the devfs file system.</para>
+	configuring the devfs file system.</para>
      <warning>
-	<para>It is easy to produce audit event feedback cycles, in which
+	<para>It is easy to produce audit event feedback cycles, in
-	  the viewing of each audit event results in the generation of more
+	  which the viewing of each audit event results in the
-	  audit events.  For example, if all network I/O is audited, and
+	  generation of more audit events.  For example, if all
-	  &man.praudit.1; is run from an SSH session, then a continuous stream of
+	  network I/O is audited, and &man.praudit.1; is run from an
-	  audit events will be generated at a high rate, as each event
+	  SSH session, then a continuous stream of audit events will
-	  being printed will generate another event.  It is advisable to run
+	  be generated at a high rate, as each event being printed
-	  <command>praudit</command> on an audit pipe device from sessions without fine-grained
+	  will generate another event.  It is advisable to run
-	  I/O auditing in order to avoid this happening.</para>
+	  <command>praudit</command> on an audit pipe device from
 	  sessions without fine-grained I/O auditing in order to avoid
 	  this happening.</para>
      </warning>
    </sect2>
    <sect2>
      <title>Rotating Audit Trail Files</title>
-      <para>Audit trails are written to only by the kernel, and managed only
+      <para>Audit trails are written to only by the kernel, and
-	by the audit daemon, <application>auditd</application>.  Administrators
+	managed only by the audit daemon,
-	should not attempt to use &man.newsyslog.conf.5; or other tools to
+	<application>auditd</application>.  Administrators should not
-	directly rotate audit logs.  Instead, the <command>audit</command>
+	attempt to use &man.newsyslog.conf.5; or other tools to
-	management tool may be used to shut down auditing, reconfigure the
+	directly rotate audit logs.  Instead, the
-	audit system, and perform log rotation.  The following command causes
+	<command>audit</command> management tool may be used to shut
-	the audit daemon to create a new audit log and signal the kernel to
+	down auditing, reconfigure the audit system, and perform log
-	switch to using the new log.  The old log will be terminated and
+	rotation.  The following command causes the audit daemon to
 	create a new audit log and signal the kernel to switch to
 	using the new log.  The old log will be terminated and
 	renamed, at which point it may then be manipulated by the
 	administrator.</para>
      <screen>&prompt.root; <userinput>audit -n</userinput></screen>
      <warning>
-	<para>If the <application>auditd</application> daemon is not currently
+	<para>If the <application>auditd</application> daemon is not
-	  running, this command will fail and an error message will be
+	  currently running, this command will fail and an error
-	  produced.</para>
+	  message will be produced.</para>
      </warning>
      <para>Adding the following line to
@ -682,23 +713,24 @@ trailer,133</programlisting>
      <para>The change will take effect once you have saved the
 	new <filename>/etc/crontab</filename>.</para>
-      <para>Automatic rotation of the audit trail file based on file size is
+      <para>Automatic rotation of the audit trail file based on file
-	possible via the <option>filesz</option> option in
+	size is possible via the <option>filesz</option> option in
-	&man.audit.control.5;, and is described in the configuration files
+	&man.audit.control.5;, and is described in the configuration
-	section of this chapter.</para>
+	files section of this chapter.</para>
    </sect2>
    <sect2>
      <title>Compressing Audit Trails</title>
-      <para>As audit trail files can become very large, it is often desirable
+      <para>As audit trail files can become very large, it is often
-	to compress or otherwise archive trails once they have been closed by
+	desirable to compress or otherwise archive trails once they
-	the audit daemon.  The <filename>audit_warn</filename> script can be
+	have been closed by the audit daemon.  The
-	used to perform customized operations for a variety of audit-related
+	<filename>audit_warn</filename> script can be used to perform
-	events, including the clean termination of audit trails when they are
+	customized operations for a variety of audit-related events,
 	including the clean termination of audit trails when they are
 	rotated.  For example, the following may be added to the
-	<filename>audit_warn</filename> script to compress audit trails on
+	<filename>audit_warn</filename> script to compress audit
-	close:</para>
+	trails on close:</para>
      <programlisting>#
 # Compress audit trail files on close.
@ -707,11 +739,12 @@ if [ "$1" = closefile ]; then
        gzip -9 $2
 fi</programlisting>
-      <para>Other archiving activities might include copying trail files to
+      <para>Other archiving activities might include copying trail
-	a centralized server, deleting old trail files, or reducing the audit
+	files to a centralized server, deleting old trail files, or
-	trail to remove unneeded records.  The script will be run only when
+	reducing the audit trail to remove unneeded records.  The
-	audit trail files are cleanly terminated, so will not be run on
+	script will be run only when audit trail files are cleanly
-	trails left unterminated following an improper shutdown.</para>
+	terminated, so will not be run on trails left unterminated
 	following an improper shutdown.</para>
    </sect2>
  </sect1>
 </chapter>