svn commit: r41589 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit
Dru Lavigne
dru at FreeBSD.org
Fri May 10 11:55:41 UTC 2013
Author: dru
Date: Fri May 10 11:55:40 2013
New Revision: 41589
URL: http://svnweb.freebsd.org/changeset/doc/41589
Log:
White space fix only. Translators can ignore.
Approved by: bcr (mentor)
Modified:
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml
Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml
==============================================================================
--- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Fri May 10 11:40:22 2013 (r41588)
+++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/audit/chapter.xml Fri May 10 11:55:40 2013 (r41589)
@@ -60,8 +60,8 @@ requirements. -->
</listitem>
<listitem>
- <para>How to configure Event Auditing on &os; for users
- and processes.</para>
+ <para>How to configure Event Auditing on &os; for users and
+ processes.</para>
</listitem>
<listitem>
@@ -85,8 +85,8 @@ requirements. -->
</listitem>
<listitem>
- <para>Have some familiarity with security and how it
- pertains to &os; (<xref linkend="security"/>).</para>
+ <para>Have some familiarity with security and how it pertains
+ to &os; (<xref linkend="security"/>).</para>
</listitem>
</itemizedlist>
@@ -104,9 +104,9 @@ requirements. -->
Administrators should take into account disk space
requirements associated with high volume audit configurations.
For example, it may be desirable to dedicate a file system to
- the <filename class="directory">/var/audit</filename> tree so that other file
- systems are not affected if the audit file system becomes
- full.</para>
+ the <filename class="directory">/var/audit</filename> tree
+ so that other file systems are not affected if the audit file
+ system becomes full.</para>
</warning>
</sect1>
@@ -133,9 +133,9 @@ requirements. -->
<listitem>
<para><emphasis>class</emphasis>: Event classes are named sets
of related events, and are used in selection expressions.
- Commonly used classes of events include
- <quote>file creation</quote> (fc), <quote>exec</quote> (ex)
- and <quote>login_logout</quote> (lo).</para>
+ Commonly used classes of events include <quote>file
+ creation</quote> (fc), <quote>exec</quote> (ex) and
+ <quote>login_logout</quote> (lo).</para>
</listitem>
<listitem>
@@ -199,8 +199,8 @@ requirements. -->
<programlisting>options AUDIT</programlisting>
<para>Rebuild and reinstall
- the kernel via the normal process explained in
- <xref linkend="kernelconfig"/>.</para>
+ the kernel via the normal process explained in <xref
+ linkend="kernelconfig"/>.</para>
<para>Once an audit-enabled kernel is built, installed, and the
system has been rebooted, enable the audit daemon by adding the
@@ -249,10 +249,10 @@ requirements. -->
<listitem>
<para><filename>audit_warn</filename> - A customizable shell
- script used by &man.auditd.8; to generate
- warning messages in exceptional situations, such as when
- space for audit records is running low or when the audit
- trail file has been rotated.</para>
+ script used by &man.auditd.8; to generate warning messages
+ in exceptional situations, such as when space for audit
+ records is running low or when the audit trail file has
+ been rotated.</para>
</listitem>
</itemizedlist>
@@ -400,8 +400,8 @@ requirements. -->
</itemizedlist>
<para>These audit event classes may be customized by modifying
- the <filename>audit_class</filename> and
- <filename>audit_event</filename> configuration files.</para>
+ the <filename>audit_class</filename> and <filename>audit_
+ event</filename> configuration files.</para>
<para>Each audit class in the list is combined with a prefix
indicating whether successful/failed operations are matched,
@@ -451,11 +451,10 @@ requirements. -->
<title>Configuration Files</title>
<para>In most cases, administrators will need to modify only two
- files when configuring the audit system:
- <filename>audit_control</filename> and
- <filename>audit_user</filename>. The first controls
- system-wide audit properties and policies; the second may be
- used to fine-tune auditing by user.</para>
+ files when configuring the audit system: <filename>audit_
+ control</filename> and <filename>audit_user</filename>.
+ The first controls system-wide audit properties and policies;
+ the second may be used to fine-tune auditing by user.</para>
<sect3 id="audit-auditcontrol">
<title>The <filename>audit_control</filename> File</title>
@@ -489,9 +488,9 @@ filesz:0</programlisting>
will be generated. The above example sets the minimum free
space to twenty percent.</para>
- <para>The <option>naflags</option> specifies audit
- classes to be audited for non-attributed events, such as the
- login process and system daemons.</para>
+ <para>The <option>naflags</option> specifies audit classes
+ to be audited for non-attributed events, such as the login
+ process and system daemons.</para>
<para>The <option>policy</option> entry specifies a
comma-separated list of policy flags controlling various
@@ -517,13 +516,12 @@ filesz:0</programlisting>
<para>The administrator can specify further audit requirements
for specific users in <filename>audit_user</filename>.
- Each line configures auditing for a user
- via two fields: the first is the
- <literal>alwaysaudit</literal> field, which specifies a set
- of events that should always be audited for the user, and
- the second is the <literal>neveraudit</literal> field, which
- specifies a set of events that should never be audited for
- the user.</para>
+ Each line configures auditing for a user via two fields:
+ the first is the <literal>alwaysaudit</literal> field,
+ which specifies a set of events that should always be
+ audited for the user, and the second is the
+ <literal>neveraudit</literal> field, which specifies a set
+ of events that should never be audited for the user.</para>
<para>The following example <filename>audit_user</filename>
audits login/logout events and successful command
@@ -552,15 +550,13 @@ www:fc,+ex:no</programlisting>
&man.praudit.1; command converts trail files to a simple text
format; the &man.auditreduce.1; command may be used to reduce
the audit trail file for analysis, archiving, or printing
- purposes. A variety of selection
- parameters are supported by &man.auditreduce.1;,
- including event type, event class,
+ purposes. A variety of selection parameters are supported by
+ &man.auditreduce.1;, including event type, event class,
user, date or time of the event, and the file path or object
acted on.</para>
- <para>For example, &man.praudit.1; will
- dump the entire contents of a specified audit log in plain
- text:</para>
+ <para>For example, &man.praudit.1; will dump the entire
+ contents of a specified audit log in plain text:</para>
<screen>&prompt.root; <userinput>praudit /var/audit/AUDITFILE</userinput></screen>
@@ -569,11 +565,11 @@ www:fc,+ex:no</programlisting>
the audit log to dump.</para>
<para>Audit trails consist of a series of audit records made up
- of tokens, which &man.praudit.1; prints
- sequentially one per line. Each token is of a specific type,
- such as <literal>header</literal> holding an audit record
- header, or <literal>path</literal> holding a file path from a
- name lookup. The following is an example of an
+ of tokens, which &man.praudit.1; prints sequentially one per
+ line. Each token is of a specific type, such as
+ <literal>header</literal> holding an audit record header, or
+ <literal>path</literal> holding a file path from a name
+ lookup. The following is an example of an
<literal>execve</literal> event:</para>
<programlisting>header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
@@ -606,8 +602,7 @@ trailer,133</programlisting>
concludes the record.</para>
<para><acronym>XML</acronym> output format is also supported by
- &man.praudit.1;,
- and can be selected using
+ &man.praudit.1;, and can be selected using
<option>-x</option>.</para>
</sect2>
@@ -629,10 +624,10 @@ trailer,133</programlisting>
<title>Delegating Audit Review Rights</title>
<para>Members of the <groupname>audit</groupname> group are
- given permission to read audit trails in
- <filename class="directory">/var/audit</filename>; by default, this group is
- empty, so only the <username>root</username> user may read
- audit trails. Users may be added to the
+ given permission to read audit trails in <filename
+ class="directory">/var/audit</filename>; by default, this
+ group is empty, so only the <username>root</username> user
+ may read audit trails. Users may be added to the
<groupname>audit</groupname> group in order to delegate audit
review rights to the user. As the ability to track audit log
contents provides significant insight into the behavior of
@@ -674,9 +669,9 @@ trailer,133</programlisting>
SSH session, then a continuous stream of audit events will
be generated at a high rate, as each event being printed
will generate another event. It is advisable to run
- &man.praudit.1; on an audit pipe device from
- sessions without fine-grained I/O auditing in order to avoid
- this happening.</para>
+ &man.praudit.1; on an audit pipe device from sessions
+ without fine-grained I/O auditing in order to avoid this
+ happening.</para>
</warning>
</sect2>
@@ -684,24 +679,23 @@ trailer,133</programlisting>
<title>Rotating Audit Trail Files</title>
<para>Audit trails are written to only by the kernel, and
- managed only by the audit daemon,
- &man.auditd.8;. Administrators should not
- attempt to use &man.newsyslog.conf.5; or other tools to
- directly rotate audit logs. Instead, the
- &man.audit.8; management tool may be used to shut
- down auditing, reconfigure the audit system, and perform log
- rotation. The following command causes the audit daemon to
- create a new audit log and signal the kernel to switch to
- using the new log. The old log will be terminated and
- renamed, at which point it may then be manipulated by the
- administrator.</para>
+ managed only by the audit daemon, &man.auditd.8;.
+ Administrators should not attempt to use
+ &man.newsyslog.conf.5; or other tools to directly rotate
+ audit logs. Instead, the &man.audit.8; management tool may
+ be used to shut down auditing, reconfigure the audit system,
+ and perform log rotation. The following command causes the
+ audit daemon to create a new audit log and signal the kernel
+ to switch to using the new log. The old log will be
+ terminated and renamed, at which point it may then be
+ manipulated by the administrator.</para>
<screen>&prompt.root; <userinput>audit -n</userinput></screen>
<warning>
- <para>If &man.auditd.8; is not
- currently running, this command will fail and an error
- message will be produced.</para>
+ <para>If &man.auditd.8; is not currently running, this
+ command will fail and an error message will be
+ produced.</para>
</warning>
<para>Adding the following line to
@@ -710,8 +704,8 @@ trailer,133</programlisting>
<programlisting>0 */12 * * * root /usr/sbin/audit -n</programlisting>
- <para>The change will take effect once you have saved the
- new <filename>/etc/crontab</filename>.</para>
+ <para>The change will take effect once you have saved the new
+ <filename>/etc/crontab</filename>.</para>
<para>Automatic rotation of the audit trail file based on file
size is possible using <option>filesz</option> in
More information about the svn-doc-projects
mailing list