diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2006-10-02 07:50:22 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2006-10-02 07:50:22 +0000 |
commit | b6389e9431e0961384f66310e9717fed48da5ae2 (patch) | |
tree | 9e290037bfb0b339e73cae062b61c7660a9c3977 /en_US.ISO8859-1/books/handbook/audit | |
parent | 3a22779fc0a5130cb4f9ef9e358edacd8e1f393c (diff) | |
download | doc-b6389e9431e0961384f66310e9717fed48da5ae2.tar.gz doc-b6389e9431e0961384f66310e9717fed48da5ae2.zip |
Update audit handbook chapter:
- Clean up a few more phrasing nits.
- Extend sections on audit_control to document filesz and policy entries,
and to specifically mention argv, envv, and cnt policy flags.
This brings the audit documentation up-to-date for OpenBSM 1.0 alpha 12.
Obtained from: TrustedBSD Project
Notes
Notes:
svn path=/head/; revision=28744
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/audit')
-rw-r--r-- | en_US.ISO8859-1/books/handbook/audit/chapter.sgml | 45 |
1 files changed, 33 insertions, 12 deletions
diff --git a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml index 1945dc0931..3077b6bd28 100644 --- a/en_US.ISO8859-1/books/handbook/audit/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/audit/chapter.sgml @@ -122,8 +122,8 @@ requirements. --> <para><emphasis>event</emphasis>: An auditable event is any event that can be logged using the audit subsystem. Examples of security-relevant events include the creation of - a file, the building of a network connection, or the logging - in of a user. Events are either <quote>attributable</quote>, + a file, the building of a network connection, or a user logging in. + Events are either <quote>attributable</quote>, meaning that they can be traced to an authenticated user, or <quote>non-attributable</quote> if they cannot be. Examples of non-attributable events are any events that occur @@ -163,9 +163,9 @@ requirements. --> <listitem> <para><emphasis>preselection</emphasis>: The process by which the - system identifies which events are of interest in order to avoid - generating audit records describing events that are not of - interest to the administrator. The preselection configuration + system identifies which events are of interest to the administrator + in order to avoid generating audit records describing events that + are not of interest. The preselection configuration uses a series of selection expressions to identify which classes of events to audit for which users, as well as global settings that apply to both authenticated and unauthenticated @@ -189,9 +189,9 @@ requirements. --> <title>Installing Audit Support</title> <para>User space support for Event Auditing is installed as part of the - base &os; operating as of 6.2-RELEASE. However, kernel support for - Event Auditing must also be configured, which is done by adding the - following lines to the local configuration file:</para> + base &os; operating as of 6.2-RELEASE. However, Event Auditing support + must be explicitly compiled into the kernel by adding the following + lines to the kernel configuration file:</para> <programlisting>options AUDIT</programlisting> @@ -228,7 +228,7 @@ requirements. --> <para><filename>audit_control</filename> - Controls aspects of the audit subsystem, such as default audit classes, minimum disk space to leave on the audit log volume, - etc.</para> + maximum audit trail size, etc.</para> </listitem> <listitem> @@ -238,7 +238,7 @@ requirements. --> </listitem> <listitem> - <para><filename>audit_user</filename> - Any user-specific audit + <para><filename>audit_user</filename> - User-specific audit requirements, which are combined with the global defaults at login.</para> </listitem> @@ -297,7 +297,10 @@ requirements. --> <listitem> <para><option>ex</option> - <literal>exec</literal> - Audit - program or utility execution.</para> + program execution. Auditing of command line arguments and + environmental variables is controlled via &man.audit.control.5; + using the <literal>argv</literal> and <literal>envv</literal> + parameters to the <literal>policy</literal> setting.</para> </listitem> <listitem> @@ -450,7 +453,9 @@ requirements. --> <programlisting>dir:/var/audit flags:lo minfree:20 -naflags:lo</programlisting> +naflags:lo +policy:cnt +filesz:0</programlisting> <para>The <option>dir</option> option is used to set one or more directories where audit logs will be stored. If more than one @@ -474,6 +479,22 @@ naflags:lo</programlisting> <para>The <option>naflags</option> option specifies audit classes to be audited for non-attributed events, such as the login process and system daemons.</para> + + <para>The <option>policy</option> option specifies a comma-separated + list of policy flags controlling various aspects of audit + behavior. The default <literal>cnt</literal> flag indicates that + the system should continue running despite an auditing failure + (this flag is highly recommended). Another commonly used flag is + <literal>argv</literal>, which causes command line arguments to + the &man.execve.2; system call to audited as part of command + execution.</para> + + <para>The <option>filesz</option> option specifies the maximum size + in bytes to allow an audit trail file to grow to before + automatically terminating and rotating the trail file. The + default, 0, disables automatic log rotation. If the requested + file size is non-zero and below the minimum 512k, it will be + ignored and a log message will be generated.</para> </sect3> <sect3 id="audit-audituser"> |