Update audit handbook chapter:

- Clean up a few more phrasing nits. - Extend sections on audit_control to document filesz and policy entries, and to specifically mention argv, envv, and cnt policy flags. This brings the audit documentation up-to-date for OpenBSM 1.0 alpha 12. Obtained from: TrustedBSD Project
svn path=/head/; revision=28744
2006-10-02 07:50:22 +00:00 · 2006-10-02 07:50:22 +00:00 · b6389e9431 · 2020-12-08 03:00:23 +00:00
commit b6389e9431
parent 3a22779fc0
1 changed files with 33 additions and 12 deletions
--- a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml
@ -122,8 +122,8 @@ requirements. -->
 	<para><emphasis>event</emphasis>: An auditable event is any event
 	  that can be logged using the audit subsystem.
 	  Examples of security-relevant events include the creation of
-	  a file, the building of a network connection, or the logging
+	  a file, the building of a network connection, or a user logging in.
-	  in of a user.  Events are either <quote>attributable</quote>,
+	  Events are either <quote>attributable</quote>,
 	  meaning that they can be traced to an authenticated user, or
 	  <quote>non-attributable</quote> if they cannot be.
 	  Examples of non-attributable events are any events that occur
@ -163,9 +163,9 @@ requirements. -->
      <listitem>
 	<para><emphasis>preselection</emphasis>: The process by which the
-	  system identifies which events are of interest in order to avoid
+	  system identifies which events are of interest to the administrator
-	  generating audit records describing events that are not of
+	  in order to avoid generating audit records describing events that
-	  interest to the administrator.  The preselection configuration
+	  are not of interest.  The preselection configuration
 	  uses a series of selection expressions to identify which classes
 	  of events to audit for which users, as well as global settings
 	  that apply to both authenticated and unauthenticated
@ -189,9 +189,9 @@ requirements. -->
    <title>Installing Audit Support</title>
    <para>User space support for Event Auditing is installed as part of the
-      base &os; operating as of 6.2-RELEASE.  However, kernel support for
+      base &os; operating as of 6.2-RELEASE.  However, Event Auditing support
-      Event Auditing must also be configured, which is done by adding the
+      must be explicitly compiled into the kernel by adding the following
-      following lines to the local configuration file:</para>
+      lines to the kernel configuration file:</para>
    <programlisting>options	AUDIT</programlisting>
@ -228,7 +228,7 @@ requirements. -->
 	<para><filename>audit_control</filename> - Controls aspects
 	  of the audit subsystem, such as default audit classes,
 	  minimum disk space to leave on the audit log volume,
-	  etc.</para>
+	  maximum audit trail size, etc.</para>
      </listitem>
      <listitem>
@ -238,7 +238,7 @@ requirements. -->
      </listitem>
      <listitem>
-	<para><filename>audit_user</filename> - Any user-specific audit
+	<para><filename>audit_user</filename> - User-specific audit
 	  requirements, which are combined with the global defaults at
 	  login.</para>
      </listitem>
@ -297,7 +297,10 @@ requirements. -->
 	<listitem>
 	  <para><option>ex</option> - <literal>exec</literal> - Audit
-	    program or utility execution.</para>
+	    program execution.  Auditing of command line arguments and
 	    environmental variables is controlled via &man.audit.control.5;
 	    using the <literal>argv</literal> and <literal>envv</literal>
 	    parameters to the <literal>policy</literal> setting.</para>
 	</listitem>
 	<listitem>
@ -450,7 +453,9 @@ requirements. -->
 	<programlisting>dir:/var/audit
 flags:lo
 minfree:20
-naflags:lo</programlisting>
+naflags:lo
 policy:cnt
 filesz:0</programlisting>
 	<para>The <option>dir</option> option is used to set one or more
 	  directories where audit logs will be stored.  If more than one
@ -474,6 +479,22 @@ naflags:lo</programlisting>
 	<para>The <option>naflags</option> option specifies audit classes to
 	  be audited for non-attributed events, such as the login process
 	  and system daemons.</para>
 	<para>The <option>policy</option> option specifies a comma-separated
 	  list of policy flags controlling various aspects of audit
 	  behavior.  The default <literal>cnt</literal> flag indicates that
 	  the system should continue running despite an auditing failure
 	  (this flag is highly recommended).  Another commonly used flag is
 	  <literal>argv</literal>, which causes command line arguments to
 	  the &man.execve.2; system call to audited as part of command
 	  execution.</para>
 	<para>The <option>filesz</option> option specifies the maximum size
 	  in bytes to allow an audit trail file to grow to before
 	  automatically terminating and rotating the trail file.  The
 	  default, 0, disables automatic log rotation.  If the requested
 	  file size is non-zero and below the minimum 512k, it will be
 	  ignored and a log message will be generated.</para>
      </sect3>
      <sect3 id="audit-audituser">