- Don't say "by default" regarding paths in /etc/security: they are not
configurable.
- Note that the 'ip' event class covers more than just System V IPC.
- Clarify the differences between the audit_control and audit_user files
in the configuration files introduction.
- Slightly reword audit log rotiation introduction.
- Add a section on the 'audit' group, and how this can be used to delegate
audit review rights.
Obtained from: TrustedBSD Project
1. Since the example program is called doormand, update the references
to doorman in the script and examples to match the name of the program,
as it is typically done.
2. Fix the comments about the variables to avoid line wrap past 80 columns
3. Re-sort the variables (such as command, etc.) to be in the order that
they are generally listed in the base scripts, and in rc(8).
4. Simplify the rcvar variable to be what `set rcvar` would return anyway
Rename section "Security Event Auditing" from "Kernel Event Auditing" --
while most of our events are currently generated by the kernel, the intent
is that it will be whole system auditing.
More carefully distinguish our implementation being based on Sun's
published API and file format, and not their implementation.
Clarify a few more things audit can be used for, including post-mortem
analysis and intrusion detection.
Mention Mac OS X compatibility in addition to Darwin.
Sort glossary slightly differently -- events before classes, since classes
are defined in terms of events. Tweak definition and examples. Mention
non-attributable vs attributable here.
Mention that classes allow administrators to specify auditing requirements
at a high level.
Describe contents of a record.
Define 'trail'.
Since audit is now part of the base system, remove directions for
installing files, etc, since complete installs should have them, and if
they don't, the user should seek support.
Mention that audit trails are happiest on a file system of their own.
Update example flags option in audit_control -- add information on the
new default, but keep the current example because the new default doesn't
reflect the scope of possible expressions, whereas the earlier example
did.
Rephrase paragraph on avoiding directly manipulating logs in order to
explain that this is because the kernel/daemon own the log until it is
terminated.
Correct example: auditreduce just reduces, not prints, so |praudit is
needed or the user will experience the power of raw BSM's effects on
his or her terminal.
Much suggested by: brueffer
Reviewed by: brueffer
