diff --git a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml index 1945dc0931..3077b6bd28 100644 --- a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml @@ -122,8 +122,8 @@ requirements. --> event: An auditable event is any event that can be logged using the audit subsystem. Examples of security-relevant events include the creation of - a file, the building of a network connection, or the logging - in of a user. Events are either attributable, + a file, the building of a network connection, or a user logging in. + Events are either attributable, meaning that they can be traced to an authenticated user, or non-attributable if they cannot be. Examples of non-attributable events are any events that occur @@ -163,9 +163,9 @@ requirements. --> preselection: The process by which the - system identifies which events are of interest in order to avoid - generating audit records describing events that are not of - interest to the administrator. The preselection configuration + system identifies which events are of interest to the administrator + in order to avoid generating audit records describing events that + are not of interest. The preselection configuration uses a series of selection expressions to identify which classes of events to audit for which users, as well as global settings that apply to both authenticated and unauthenticated @@ -189,9 +189,9 @@ requirements. --> Installing Audit Support User space support for Event Auditing is installed as part of the - base &os; operating as of 6.2-RELEASE. However, kernel support for - Event Auditing must also be configured, which is done by adding the - following lines to the local configuration file: + base &os; operating as of 6.2-RELEASE. However, Event Auditing support + must be explicitly compiled into the kernel by adding the following + lines to the kernel configuration file: options AUDIT @@ -228,7 +228,7 @@ requirements. --> audit_control - Controls aspects of the audit subsystem, such as default audit classes, minimum disk space to leave on the audit log volume, - etc. + maximum audit trail size, etc. @@ -238,7 +238,7 @@ requirements. --> - audit_user - Any user-specific audit + audit_user - User-specific audit requirements, which are combined with the global defaults at login. @@ -297,7 +297,10 @@ requirements. --> - exec - Audit - program or utility execution. + program execution. Auditing of command line arguments and + environmental variables is controlled via &man.audit.control.5; + using the argv and envv + parameters to the policy setting. @@ -450,7 +453,9 @@ requirements. --> dir:/var/audit flags:lo minfree:20 -naflags:lo +naflags:lo +policy:cnt +filesz:0 The option is used to set one or more directories where audit logs will be stored. If more than one @@ -474,6 +479,22 @@ naflags:lo The option specifies audit classes to be audited for non-attributed events, such as the login process and system daemons. + + The option specifies a comma-separated + list of policy flags controlling various aspects of audit + behavior. The default cnt flag indicates that + the system should continue running despite an auditing failure + (this flag is highly recommended). Another commonly used flag is + argv, which causes command line arguments to + the &man.execve.2; system call to audited as part of command + execution. + + The option specifies the maximum size + in bytes to allow an audit trail file to grow to before + automatically terminating and rotating the trail file. The + default, 0, disables automatic log rotation. If the requested + file size is non-zero and below the minimum 512k, it will be + ignored and a log message will be generated.