25c25
< .\" $FreeBSD: head/share/man/man4/audit.4 155395 2006-02-06 19:28:02Z brueffer $
---
> .\" $FreeBSD: head/share/man/man4/audit.4 155397 2006-02-06 20:27:00Z rwatson $
65c65,77
< The kernel audit facility also provides a clonable special device,
---
> While audit trail files maintained by
> .Xr auditd 8
> provide a reliable long-term store for audit log information, current log
> files are owned by the audit daemon until terminated making them somewhat
> unwieldy for live montoring applications such as host-based intrusion
> detection.
> For example, the log may be cycled and new records written to a new file
> without notice to applications that may be accessing the file.
> .Pp
> The audit facility provides an audit pipe facility for applications requiring
> direct access to live BSM audit data for the purposes of real-time
> monitoring.
> Audit pipes are available via a clonable special device,
67,71c79
< which allows appropriately privileged applications to gain direct access to
< the BSM audit stream without accessing audit trail files.
< As audit trail files are owned by the audit daemon until terminated, they
< are an unreliable way for applications to access live audit data; this
< special device inserts a
---
> subject to the permissions on the device node, and provide a
73,75c81
< in the audit event stream.
< This facility is appropriate for use by live monitoring tools, including
< intrusion detection.
---
> of the audit event stream.
< .\" $FreeBSD: head/share/man/man4/audit.4 155395 2006-02-06 19:28:02Z brueffer $
---
> .\" $FreeBSD: head/share/man/man4/audit.4 155397 2006-02-06 20:27:00Z rwatson $
65c65,77
< The kernel audit facility also provides a clonable special device,
---
> While audit trail files maintained by
> .Xr auditd 8
> provide a reliable long-term store for audit log information, current log
> files are owned by the audit daemon until terminated making them somewhat
> unwieldy for live montoring applications such as host-based intrusion
> detection.
> For example, the log may be cycled and new records written to a new file
> without notice to applications that may be accessing the file.
> .Pp
> The audit facility provides an audit pipe facility for applications requiring
> direct access to live BSM audit data for the purposes of real-time
> monitoring.
> Audit pipes are available via a clonable special device,
67,71c79
< which allows appropriately privileged applications to gain direct access to
< the BSM audit stream without accessing audit trail files.
< As audit trail files are owned by the audit daemon until terminated, they
< are an unreliable way for applications to access live audit data; this
< special device inserts a
---
> subject to the permissions on the device node, and provide a
73,75c81
< in the audit event stream.
< This facility is appropriate for use by live monitoring tools, including
< intrusion detection.
---
> of the audit event stream.