Update audit handbook chapter:

- Clean up a few more phrasing nits.
- Extend sections on audit_control to document filesz and policy entries,
  and to specifically mention argv, envv, and cnt policy flags.

This brings the audit documentation up-to-date for OpenBSM 1.0 alpha 12.

Obtained from:	TrustedBSD Project

1 files changed, 33 insertions, 12 deletions

diff --git a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml
index 1945dc0931..3077b6bd28 100644
--- a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml
@@ -122,8 +122,8 @@ requirements. -->
 	<para><emphasis>event</emphasis>: An auditable event is any event
 	  that can be logged using the audit subsystem.
 	  Examples of security-relevant events include the creation of
-	  a file, the building of a network connection, or the logging
-	  in of a user.  Events are either <quote>attributable</quote>,
+	  a file, the building of a network connection, or a user logging in.
+	  Events are either <quote>attributable</quote>,
 	  meaning that they can be traced to an authenticated user, or
 	  <quote>non-attributable</quote> if they cannot be.
 	  Examples of non-attributable events are any events that occur
@@ -163,9 +163,9 @@ requirements. -->
 
       <listitem>
 	<para><emphasis>preselection</emphasis>: The process by which the
-	  system identifies which events are of interest in order to avoid
-	  generating audit records describing events that are not of
-	  interest to the administrator.  The preselection configuration
+	  system identifies which events are of interest to the administrator
+	  in order to avoid generating audit records describing events that
+	  are not of interest.  The preselection configuration
 	  uses a series of selection expressions to identify which classes
 	  of events to audit for which users, as well as global settings
 	  that apply to both authenticated and unauthenticated
@@ -189,9 +189,9 @@ requirements. -->
     <title>Installing Audit Support</title>
 
     <para>User space support for Event Auditing is installed as part of the
-      base &os; operating as of 6.2-RELEASE.  However, kernel support for
-      Event Auditing must also be configured, which is done by adding the
-      following lines to the local configuration file:</para>
+      base &os; operating as of 6.2-RELEASE.  However, Event Auditing support
+      must be explicitly compiled into the kernel by adding the following
+      lines to the kernel configuration file:</para>
 
     <programlisting>options	AUDIT</programlisting>
 
@@ -228,7 +228,7 @@ requirements. -->
 	<para><filename>audit_control</filename> - Controls aspects
 	  of the audit subsystem, such as default audit classes,
 	  minimum disk space to leave on the audit log volume,
-	  etc.</para>
+	  maximum audit trail size, etc.</para>
       </listitem>
 
       <listitem>
@@ -238,7 +238,7 @@ requirements. -->
       </listitem>
 
       <listitem>
-	<para><filename>audit_user</filename> - Any user-specific audit
+	<para><filename>audit_user</filename> - User-specific audit
 	  requirements, which are combined with the global defaults at
 	  login.</para>
       </listitem>
@@ -297,7 +297,10 @@ requirements. -->
 
 	<listitem>
 	  <para><option>ex</option> - <literal>exec</literal> - Audit
-	    program or utility execution.</para>
+	    program execution.  Auditing of command line arguments and
+	    environmental variables is controlled via &man.audit.control.5;
+	    using the <literal>argv</literal> and <literal>envv</literal>
+	    parameters to the <literal>policy</literal> setting.</para>
 	</listitem>
 
 	<listitem>
@@ -450,7 +453,9 @@ requirements. -->
 	<programlisting>dir:/var/audit
 flags:lo
 minfree:20
-naflags:lo</programlisting>
+naflags:lo
+policy:cnt
+filesz:0</programlisting>
 
 	<para>The <option>dir</option> option is used to set one or more
 	  directories where audit logs will be stored.  If more than one
@@ -474,6 +479,22 @@ naflags:lo</programlisting>
 	<para>The <option>naflags</option> option specifies audit classes to
 	  be audited for non-attributed events, such as the login process
 	  and system daemons.</para>
+
+	<para>The <option>policy</option> option specifies a comma-separated
+	  list of policy flags controlling various aspects of audit
+	  behavior.  The default <literal>cnt</literal> flag indicates that
+	  the system should continue running despite an auditing failure
+	  (this flag is highly recommended).  Another commonly used flag is
+	  <literal>argv</literal>, which causes command line arguments to
+	  the &man.execve.2; system call to audited as part of command
+	  execution.</para>
+
+	<para>The <option>filesz</option> option specifies the maximum size
+	  in bytes to allow an audit trail file to grow to before
+	  automatically terminating and rotating the trail file.  The
+	  default, 0, disables automatic log rotation.  If the requested
+	  file size is non-zero and below the minimum 512k, it will be
+	  ignored and a log message will be generated.</para>
       </sect3>
 
       <sect3 id="audit-audituser">