1c1
< .\" Copyright (c) 2004 Apple Inc.
---
> .\" Copyright (c) 2004-2009 Apple Inc.
29c29
< .\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $
---
> .\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#22 $
31c31
< .Dd January 4, 2006
---
> .Dd January 29, 2009
88a89,100
> For convenience, the trail size may be expressed with suffix letters:
> B (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes).
> For example, 2M is the same as 2097152.
> .It Va expire-after
> Specifies when audit log files will expire and be removed.
> This may be after a time period has passed since the file was last
> written to or when the aggregate of all the trail files have reached a
> specified size or a combination of both.
> If no expire-after parameter is given then audit log files with not
> expire and be removed by the audit control system.
> See the information below for the format of the expiration
> specification.
172a185,229
> .Sh AUDIT LOG EXPIRATION SPECIFICATION
> The expiration specification can be one value or two values with the
> logical conjunction of AND/OR between them.
> Values for the audit log file age are numbers with the following
> suffixes:
> .Pp
> .Bl -tag -width "(space) or" -compact -offset indent
> .It Li s
> Log file age in seconds.
> .It Li h
> Log file age in hours.
> .It Li d
> Log file age in days.
> .It Li y
> Log file age in years.
> .El
> .Pp
> Values for the disk space used are numbers with the following suffixes:
> .Pp
> .Bl -tag -width "(space) or" -compact -offset indent
> .It (space) or
> .It Li B
> Disk space used in Bytes.
> .It Li K
> Disk space used in Kilobytes.
> .It Li M
> Disk space used in Megabytes.
> .It Li G
> Disk space used in Gigabytes.
> .El
> .Pp
> The suffixes on the values are case sensitive.
> If both an age and disk space value are used they are seperated by
> AND or OR and both values are used to determine when audit
> log files expire.
> In the case of AND, both the age and disk space conditions must be meet
> before the log file is removed.
> In the case of OR, either condition may expire the log file.
> For example:
> .Bd -literal -offset indent
> expire-after: 60d AND 1G
> .Ed
> .Pp
> will expire files that are older than 60 days but only if 1
> gigabyte of disk space total is being used by the audit logs.
180c237
< minfree:20
---
> minfree:5
182,183c239,240
< policy:cnt
< filesz:0
---
> policy:cnt,argv
> filesz:2097152
193,195c250,255
< processes when the audit store fills.
< The trail file will not be automatically rotated by the audit daemon based on
< file size.
---
> processes when the audit store fills and that command line arguments should
> be audited for
> .Dv AUE_EXECVE
> events.
> The trail file will be automatically rotated by the audit daemon when the
> file size reaches approximately 2MB.
< .\" Copyright (c) 2004 Apple Inc.
---
> .\" Copyright (c) 2004-2009 Apple Inc.
29c29
< .\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $
---
> .\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#22 $
31c31
< .Dd January 4, 2006
---
> .Dd January 29, 2009
88a89,100
> For convenience, the trail size may be expressed with suffix letters:
> B (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes).
> For example, 2M is the same as 2097152.
> .It Va expire-after
> Specifies when audit log files will expire and be removed.
> This may be after a time period has passed since the file was last
> written to or when the aggregate of all the trail files have reached a
> specified size or a combination of both.
> If no expire-after parameter is given then audit log files with not
> expire and be removed by the audit control system.
> See the information below for the format of the expiration
> specification.
172a185,229
> .Sh AUDIT LOG EXPIRATION SPECIFICATION
> The expiration specification can be one value or two values with the
> logical conjunction of AND/OR between them.
> Values for the audit log file age are numbers with the following
> suffixes:
> .Pp
> .Bl -tag -width "(space) or" -compact -offset indent
> .It Li s
> Log file age in seconds.
> .It Li h
> Log file age in hours.
> .It Li d
> Log file age in days.
> .It Li y
> Log file age in years.
> .El
> .Pp
> Values for the disk space used are numbers with the following suffixes:
> .Pp
> .Bl -tag -width "(space) or" -compact -offset indent
> .It (space) or
> .It Li B
> Disk space used in Bytes.
> .It Li K
> Disk space used in Kilobytes.
> .It Li M
> Disk space used in Megabytes.
> .It Li G
> Disk space used in Gigabytes.
> .El
> .Pp
> The suffixes on the values are case sensitive.
> If both an age and disk space value are used they are seperated by
> AND or OR and both values are used to determine when audit
> log files expire.
> In the case of AND, both the age and disk space conditions must be meet
> before the log file is removed.
> In the case of OR, either condition may expire the log file.
> For example:
> .Bd -literal -offset indent
> expire-after: 60d AND 1G
> .Ed
> .Pp
> will expire files that are older than 60 days but only if 1
> gigabyte of disk space total is being used by the audit logs.
180c237
< minfree:20
---
> minfree:5
182,183c239,240
< policy:cnt
< filesz:0
---
> policy:cnt,argv
> filesz:2097152
193,195c250,255
< processes when the audit store fills.
< The trail file will not be automatically rotated by the audit daemon based on
< file size.
---
> processes when the audit store fills and that command line arguments should
> be audited for
> .Dv AUE_EXECVE
> events.
> The trail file will be automatically rotated by the audit daemon when the
> file size reaches approximately 2MB.