Audit handbook chapter review
曾海涛
nocooling at gmail.com
Wed Oct 11 20:00:56 PDT 2006
Hello Robert:
I found some confusion description in Chapter 16.4.1. According to the
source codes of trustedbsd, you can find the symbol '^' do not just mean
"Audit neither successful nor failed events in this class".
Particularly in the config file, audit_user, you can find the symbol '^'
can be use to restrict both always audit and never audit items.
For example:
www:no:+all,^+ad,^+lo
This config item means that no special events should be always audit for
www user, and we never care all success events for him, except the events
belong to ad and lo class. So, at here ^+ad means to audit +ad events.
I think it is more exactly to describe symbol '^' as counter or minus
computation.
(+all)-(+ad)-(+lo)
More information about the trustedbsd-audit
mailing list