- Add missing application, command, username, etc. tags;
- Add some manual page entities;
- For the audit_class content I changed some tags and used the
description fields used in /etc/security/audit_class to make this
part easier to read and closer to what the user will find on his
machine;
- Contraction removal;
- Add missing words and fix typos and punctuation.
reduction sections. This is the section that introduces the notion of
the audit group. That way it appears before the section on audit
pipes, which references the audit group.
Obtained from: TrustedBSD Project
- Clean up a few more phrasing nits.
- Extend sections on audit_control to document filesz and policy entries,
and to specifically mention argv, envv, and cnt policy flags.
This brings the audit documentation up-to-date for OpenBSM 1.0 alpha 12.
Obtained from: TrustedBSD Project
experimental, it is experimental. Expand on what this means (not all
events that should be audited are).
Rename Key Terms section to match similar naming convention in MAC
chapter.
Obtained from: TrustedBSD Project
- Further clarify nature of composition of audit_control flags and
audit_user.
- Add missing </para> before auditpipe configuration example.
- Mark up usernames as <literal>.
Obtained from: TrustedBSD Project
Expand the viewing section to include a sample audit record from a trail,
along with a description of what the record says.
Obtained from: TrustedBSD Project
changes and improvements:
- Rephrase synposis now that we've merged audit support to 6.x. Resort to
push all warnings to the end so that it reads more clearly. Add
reviewing and reducing the audit trail to list of things learned, since it
is covered.
- Simplify class definition, as some of this content can appear in new
definitions for selection expression, preselection, and reduction. The
selection expression definition replaces the existing prefix definition,
and "selection expression" is now used consistently throughout the
document to refer to the previously unnamed matching strings.
- Since audit support is part of the base system, remove comments about
checking for configuration files, they will be present. Add note about
starting auditd with the rc.d script once the new kernel is loaded.
- When describing audit_event file, mention that that is where the class
mappings live.
- Since audit_warn will shortly learn to notify of rotation events, mention
that.
- Rename "Audit File Syntax" section to "Event Selection Expressions",
since that's what the section talks about, and these expressions are used
in more than one file. Correct an error in the prefix list, which was
also present in the man page (and will be fixed in the next OpenBSM
import). Include an example in this section.
- Don't go into selection expression details in the audit_control section,
as that's now earlier int he document.
- Talk in more detail about audit_user fields. I had to check the source to
make sure I understood this first!
- Don't mention a special audit user, it's not a configuration we currently
want to encourage. The audit group now fills this role.
- Create a new sect2 section on viewing and reducing trails from the
existing sect1 introduction for administering the audit subsystem, as it's
a sufficiently detailed and independent set of text that it makes sense.
Clarify some points regarding what you might use auditreduce for. Use
-u instead of -e to match the user in the example.
- Consistently say "audit trail file" instead of "audit log file", except
when introducing the trail concept in the glossary.
- Clarify notion of the audit group some more.
- A number of rephrasings and simplifications.
- Add myself as an author.
Some new features from OpenBSM 1.0a12 are not yet described here, such as
the filesz and policy entries in audit_control, and once that is merged, I
will further update the document, which should clean up the trail rotation
section.
Obtained from: TrustedBSD Project
- Don't say "by default" regarding paths in /etc/security: they are not
configurable.
- Note that the 'ip' event class covers more than just System V IPC.
- Clarify the differences between the audit_control and audit_user files
in the configuration files introduction.
- Slightly reword audit log rotiation introduction.
- Add a section on the 'audit' group, and how this can be used to delegate
audit review rights.
Obtained from: TrustedBSD Project
Rename section "Security Event Auditing" from "Kernel Event Auditing" --
while most of our events are currently generated by the kernel, the intent
is that it will be whole system auditing.
More carefully distinguish our implementation being based on Sun's
published API and file format, and not their implementation.
Clarify a few more things audit can be used for, including post-mortem
analysis and intrusion detection.
Mention Mac OS X compatibility in addition to Darwin.
Sort glossary slightly differently -- events before classes, since classes
are defined in terms of events. Tweak definition and examples. Mention
non-attributable vs attributable here.
Mention that classes allow administrators to specify auditing requirements
at a high level.
Describe contents of a record.
Define 'trail'.
Since audit is now part of the base system, remove directions for
installing files, etc, since complete installs should have them, and if
they don't, the user should seek support.
Mention that audit trails are happiest on a file system of their own.
Update example flags option in audit_control -- add information on the
new default, but keep the current example because the new default doesn't
reflect the scope of possible expressions, whereas the earlier example
did.
Rephrase paragraph on avoiding directly manipulating logs in order to
explain that this is because the kernel/daemon own the log until it is
terminated.
Correct example: auditreduce just reduces, not prints, so |praudit is
needed or the user will experience the power of raw BSM's effects on
his or her terminal.
Much suggested by: brueffer
Reviewed by: brueffer
Audit - not hooked up to the build, but provided for when the audit framework
becomes available in the base system.
GEOM - Incomplete, only covers striping and mirroring since that is all I
have tested. Incomplete is better than nothing in my opinion. This one is
hooked up to the build.
