Update the audit handbook chapter in a number of ways to reflect recent
changes and improvements:

• Rephrase synposis now that we've merged audit support to 6.x. Resort to push all warnings to the end so that it reads more clearly. Add reviewing and reducing the audit trail to list of things learned, since it is covered.

• Simplify class definition, as some of this content can appear in new definitions for selection expression, preselection, and reduction. The selection expression definition replaces the existing prefix definition, and "selection expression" is now used consistently throughout the document to refer to the previously unnamed matching strings.

• Since audit support is part of the base system, remove comments about checking for configuration files, they will be present. Add note about starting auditd with the rc.d script once the new kernel is loaded.

• When describing audit_event file, mention that that is where the class mappings live.

• Since audit_warn will shortly learn to notify of rotation events, mention that.

• Rename "Audit File Syntax" section to "Event Selection Expressions", since that's what the section talks about, and these expressions are used in more than one file. Correct an error in the prefix list, which was also present in the man page (and will be fixed in the next OpenBSM import). Include an example in this section.

• Don't go into selection expression details in the audit_control section, as that's now earlier int he document.

• Talk in more detail about audit_user fields. I had to check the source to make sure I understood this first!

• Don't mention a special audit user, it's not a configuration we currently want to encourage. The audit group now fills this role.

• Create a new sect2 section on viewing and reducing trails from the existing sect1 introduction for administering the audit subsystem, as it's a sufficiently detailed and independent set of text that it makes sense. Clarify some points regarding what you might use auditreduce for. Use -u instead of -e to match the user in the example.

• Consistently say "audit trail file" instead of "audit log file", except when introducing the trail concept in the glossary.

• Clarify notion of the audit group some more.

• A number of rephrasings and simplifications.

• Add myself as an author.

Some new features from OpenBSM 1.0a12 are not yet described here, such as
the filesz and policy entries in audit_control, and once that is merged, I
will further update the document, which should clean up the trail rotation
section.

Obtained from: TrustedBSD Project