Break out Viewing vs. Reduction of audit trail sections.

Expand the viewing section to include a sample audit record from a trail, along with a description of what the record says. Obtained from: TrustedBSD Project
svn path=/head/; revision=28718
2006-09-25 17:33:53 +00:00 · 2006-09-25 17:33:53 +00:00 · d3aeb13515 · 2020-12-08 03:00:23 +00:00
commit d3aeb13515
parent fabcbaca97
1 changed files with 42 additions and 2 deletions
--- a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml
@ -504,7 +504,7 @@ www:fc,+ex:no</programlisting>
    <title>Administering the Audit Subsystem</title>

    <sect2>
-      <title>Viewing and Reducing Audit Trails</title>
+      <title>Viewing Audit Trails</title>

      <para>Audit trails are stored in the BSM binary format, so tools must
 	be used to modify or convert to text.  The <command>praudit</command>
@ -521,7 +521,47 @@ www:fc,+ex:no</programlisting>
      <screen>&prompt.root; <userinput>praudit /var/audit/AUDITFILE</userinput></screen>

      <para>Where <replaceable>AUDITFILE</replaceable> is the audit log to
-	dump.  Since audit logs may be very large, an administrator will
+	dump.</para>
+
+      <para>Audit trails consist of a series of audit records made up of
+	tokens, which <command>praudit</command> prints sequentially one per
+	line.  Each token is of a specific type, such as
+	<literal>header</literal> holding an audit record header, or
+	<literal>path</literal> holding a file path from a name
+	lookup.  The following is an example of an
+	<literal>execve</literal> event:</para>
+
+      <programlisting>header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
+exec arg,finger,doug
+path,/usr/bin/finger
+attribute,555,root,wheel,90,24918,104944
+subject,robert,root,wheel,root,wheel,38439,38032,42086,128.232.9.100
+return,success,0
+trailer,133</programlisting>
+
+      <para>This audit represents a successful <literal>execve</literal>
+	call, in which the command "finger doug" has been run.  The
+	arguments token contains both the processed command line presented
+	by the shell to the kernel.  The path token holds the path to the
+	executable as looked up by the kernel.  The attribute token
+	describes the binary, and in particular, includes the file mode
+	which can be used to determine if the application was setuid.
+	The subject token describes the subject process, and stores in
+	sequence the audit user ID, effective user ID and group ID, real
+	user ID and group ID, process ID, session ID, port ID, and login
+	address.  Notice that the audit user ID and real user ID differ:
+	the user <literal>robert</literal> has switched to the
+	<literal>root</literal> account before running this command, but
+	it is audited using the original authenticated user.  Finally, the
+	return token indicates the successful execution, and the trailer
+	concludes the record.</para>
+
+    </sect2>
+
+    <sect2>
+      <title>Reducing Audit Trails</title>
+
+      <para>Since audit logs may be very large, an administrator will
 	likely want to select a subset of records for using, such as records
 	associated with a specific user:</para>