No longer call it tracing, it is now "monitoring" which should be more

a obvious name to non-hackers.

Makefile.in

@@ -101,10 +101,10 @@ PROGS = @PROGS@
 SRCS = alloc.c alloca.c check.c closefrom.c def_data.c defaults.c env.c err.c \
        fileops.c find_path.c fnmatch.c getcwd.c getprogname.c getspwuid.c \
        gettime.c goodpath.c interfaces.c ldap.c lex.yy.c lsearch.c logging.c \
-       parse.c parse.lex parse.yacc set_perms.c sigaction.c snprintf.c \
+       mon_systrace.c parse.c parse.lex parse.yacc set_perms.c sigaction.c \
-       strcasecmp.c strerror.c strlcat.c strlcpy.c sudo.c sudo_noexec.c \
+       snprintf.c strcasecmp.c strerror.c strlcat.c strlcpy.c sudo.c \
-       sudo.tab.c sudo_edit.c testsudoers.c tgetpass.c utimes.c \
+       sudo_noexec.c sudo.tab.c sudo_edit.c testsudoers.c tgetpass.c utimes.c \
-       trace_systrace.c visudo.c zero_bytes.c $(AUTH_SRCS)
+       visudo.c zero_bytes.c $(AUTH_SRCS)
 
 AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
 	    auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \
@@ -234,7 +234,7 @@ strlcpy.o: strlcpy.c config.h
 strerror.o: strerror.c config.h
 utime.o: utime.c config.h pathnames.h compat.h emul/utime.h
 ldap.o: ldap.c $(SUDODEP) parse.h
-trace_systrace.o: trace_systrace.c $(SUDODEP) trace_systrace.h
+mon_systrace.o: mon_systrace.c $(SUDODEP) mon_systrace.h
 
 # Build special copy of alloc.c for visudo that calls Exit()
 vsalloc.o: alloc.c $(SUDODEP)

configure

@@ -30290,7 +30290,7 @@ done
     else
 	CPPFLAGS="$CPPFLAGS -I${with_systrace}"
     fi
-    SUDO_OBJS="${SUDO_OBJS} trace_systrace.o"
+    SUDO_OBJS="${SUDO_OBJS} mon_systrace.o"
 
 for ac_func in setproctitle
 do

configure.in

@@ -1786,7 +1786,7 @@ if test -n "$with_systrace"; then
     else
 	CPPFLAGS="$CPPFLAGS -I${with_systrace}"
     fi
-    SUDO_OBJS="${SUDO_OBJS} trace_systrace.o"
+    SUDO_OBJS="${SUDO_OBJS} mon_systrace.o"
     AC_CHECK_FUNCS(setproctitle)
 fi
 dnl

def_data.c

@@ -256,8 +256,8 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"If LDAP directory is up, do we ignore local sudoers file",
 	NULL,
     }, {
-	"trace", T_FLAG,
+	"monitor", T_FLAG,
-	"Trace children of cmnd and apply sudoers restrictions to them",
+	"Monitor children of cmnd and apply sudoers restrictions to them",
 	NULL,
     }, {
 	NULL, 0, NULL

def_data.h

@@ -114,8 +114,8 @@
 #define I_ENV_KEEP              56
 #define def_ignore_local_sudoers (sudo_defs_table[57].sd_un.flag)
 #define I_IGNORE_LOCAL_SUDOERS  57
-#define def_trace               (sudo_defs_table[58].sd_un.flag)
+#define def_monitor             (sudo_defs_table[58].sd_un.flag)
-#define I_TRACE                 58
+#define I_MONITOR               58
 
 enum def_tupple {
 	never,

def_data.in

@@ -185,6 +185,6 @@ env_keep
 ignore_local_sudoers
 	T_FLAG
 	"If LDAP directory is up, do we ignore local sudoers file"
-trace
+monitor
 	T_FLAG
-	"Trace children of cmnd and apply sudoers restrictions to them"
+	"Monitor children of cmnd and apply sudoers restrictions to them"

parse.c

@@ -193,7 +193,7 @@ sudoers_lookup(pwflag)
 		    return(VALIDATE_OK |
 			(no_passwd == TRUE ? FLAG_NOPASS : 0) |
 			(no_execve == TRUE ? FLAG_NOEXEC : 0) |
-			(trace_cmnd == TRUE ? FLAG_TRACE : 0));
+			(monitor_cmnd == TRUE ? FLAG_MONITOR : 0));
 		} else if ((runas_matches == TRUE && cmnd_matches == FALSE) ||
 		    (runas_matches == FALSE && cmnd_matches == TRUE)) {
 		    /*
@@ -203,7 +203,7 @@ sudoers_lookup(pwflag)
 		    return(VALIDATE_NOT_OK |
 			(no_passwd == TRUE ? FLAG_NOPASS : 0) |
 			(no_execve == TRUE ? FLAG_NOEXEC : 0) |
-			(trace_cmnd == TRUE ? FLAG_TRACE : 0));
+			(monitor_cmnd == TRUE ? FLAG_MONITOR : 0));
 		}
 	    }
 	    top--;

parse.h

@@ -33,7 +33,7 @@ struct matchstack {
 	int runas;
 	int nopass;
 	int noexec;
-	int trace;
+	int monitor;
 };
 
 /*
@@ -51,7 +51,7 @@ struct sudo_command {
 #define runas_matches	(match[top-1].runas)
 #define no_passwd	(match[top-1].nopass)
 #define no_execve	(match[top-1].noexec)
-#define trace_cmnd	(match[top-1].trace)
+#define monitor_cmnd	(match[top-1].monitor)
 
 /*
  * Structure containing command matches if "sudo -l" is used.
@@ -65,7 +65,7 @@ struct command_match {
     size_t cmnd_size;
     int nopasswd;
     int noexecve;
-    int trace;
+    int monitor;
 };
 
 /*

parse.lex

@@ -261,14 +261,14 @@ EXEC[[:blank:]]*:	{
 			    	return(EXEC);
 			}
 
-NOTRACE[[:blank:]]*:	{
+NOMONITOR[[:blank:]]*:	{
-			    	LEXTRACE("NOTRACE ");
+			    	LEXTRACE("NOMONITOR ");
-			    	return(NOTRACE);
+			    	return(NOMONITOR);
 			}
 
-TRACE[[:blank:]]*:	{
+MONITOR[[:blank:]]*:	{
-			    	LEXTRACE("TRACE ");
+			    	LEXTRACE("MONITOR ");
-			    	return(TRACE);
+			    	return(MONITOR);
 			}
 
 \+{WORD}		{

parse.yacc

@@ -126,7 +126,7 @@ int top = 0, stacksize = 0;
 	match[top].runas  = UNSPEC; \
 	match[top].nopass = def_authenticate ? UNSPEC : TRUE; \
 	match[top].noexec = def_noexec ? TRUE : UNSPEC; \
-	match[top].trace  = def_trace ? TRUE : UNSPEC; \
+	match[top].monitor  = def_monitor ? TRUE : UNSPEC; \
 	top++; \
     } while (0)
 
@@ -136,13 +136,13 @@ int top = 0, stacksize = 0;
 	    while ((stacksize += STACKINCREMENT) < top); \
 	    match = (struct matchstack *) erealloc3(match, stacksize, sizeof(struct matchstack)); \
 	} \
-	match[top].user   = match[top-1].user; \
+	match[top].user     = match[top-1].user; \
-	match[top].cmnd   = match[top-1].cmnd; \
+	match[top].cmnd     = match[top-1].cmnd; \
-	match[top].host   = match[top-1].host; \
+	match[top].host     = match[top-1].host; \
-	match[top].runas  = match[top-1].runas; \
+	match[top].runas    = match[top-1].runas; \
-	match[top].nopass = match[top-1].nopass; \
+	match[top].nopass   = match[top-1].nopass; \
-	match[top].noexec = match[top-1].noexec; \
+	match[top].noexec   = match[top-1].noexec; \
-	match[top].trace  = match[top-1].trace; \
+	match[top].monitor  = match[top-1].monitor; \
 	top++; \
     } while (0)
 
@@ -247,8 +247,8 @@ yyerror(s)
 %token <tok> 	 PASSWD			/* passwd req for command (default) */
 %token <tok> 	 NOEXEC			/* preload dummy execve() for cmnd */
 %token <tok> 	 EXEC			/* don't preload dummy execve() */
-%token <tok> 	 TRACE			/* trace children of cmnd */
+%token <tok> 	 MONITOR		/* monitor children of cmnd */
-%token <tok> 	 NOTRACE		/* disable tracing of children */
+%token <tok> 	 NOMONITOR		/* disable monitoring of children */
 %token <tok>	 ALL			/* ALL keyword */
 %token <tok>	 COMMENT		/* comment and/or carriage return */
 %token <tok>	 HOSTALIAS		/* Host_Alias keyword */
@@ -385,7 +385,7 @@ privilege	:	hostlist '=' cmndspeclist {
 			    runas_matches = UNSPEC;
 			    no_passwd = def_authenticate ? UNSPEC : TRUE;
 			    no_execve = def_noexec ? TRUE : UNSPEC;
-			    trace_cmnd = def_trace ? TRUE : UNSPEC;
+			    monitor_cmnd = def_monitor ? TRUE : UNSPEC;
 			}
 		;
 
@@ -648,10 +648,10 @@ cmndtag		:	/* empty */ {
 				    cm_list[cm_list_len].noexecve = TRUE;
 				else
 				    cm_list[cm_list_len].noexecve = FALSE;
-				if (trace_cmnd == TRUE)
+				if (monitor_cmnd == TRUE)
-				    cm_list[cm_list_len].trace = TRUE;
+				    cm_list[cm_list_len].monitor = TRUE;
 				else
-				    cm_list[cm_list_len].trace = FALSE;
+				    cm_list[cm_list_len].monitor = FALSE;
 			    }
 			}
 		|	cmndtag NOPASSWD {
@@ -678,17 +678,17 @@ cmndtag		:	/* empty */ {
 				user_matches == TRUE)
 				cm_list[cm_list_len].noexecve = FALSE;
 			}
-		|	cmndtag TRACE {
+		|	cmndtag MONITOR {
-			    trace_cmnd = TRUE;
+			    monitor_cmnd = TRUE;
 			    if (printmatches == TRUE && host_matches == TRUE &&
 				user_matches == TRUE)
-				cm_list[cm_list_len].trace = TRUE;
+				cm_list[cm_list_len].monitor = TRUE;
 			}
-		|	cmndtag NOTRACE {
+		|	cmndtag NOMONITOR {
-			    trace_cmnd = FALSE;
+			    monitor_cmnd = FALSE;
 			    if (printmatches == TRUE && host_matches == TRUE &&
 				user_matches == TRUE)
-				cm_list[cm_list_len].trace = FALSE;
+				cm_list[cm_list_len].monitor = FALSE;
 			}
 		;
 
@@ -1110,11 +1110,11 @@ list_matches()
 	else if (cm_list[count].noexecve == FALSE && def_noexec)
 	    (void) fputs("EXEC: ", stdout);
 
-	/* Is tracing enabled? */
+	/* Is monitoring enabled? */
-	if (cm_list[count].trace == TRUE && !def_trace)
+	if (cm_list[count].monitor == TRUE && !def_monitor)
-	    (void) fputs("TRACE: ", stdout);
+	    (void) fputs("MONITOR: ", stdout);
-	else if (cm_list[count].trace == FALSE && def_trace)
+	else if (cm_list[count].monitor == FALSE && def_monitor)
-	    (void) fputs("NOTRACE: ", stdout);
+	    (void) fputs("NOMONITOR: ", stdout);
 
 	/* Is a password required? */
 	if (cm_list[count].nopasswd == TRUE && def_authenticate)
@@ -1249,7 +1249,7 @@ expand_match_list()
     cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL;
     cm_list[cm_list_len].nopasswd = FALSE;
     cm_list[cm_list_len].noexecve = FALSE;
-    cm_list[cm_list_len].trace    = FALSE;
+    cm_list[cm_list_len].monitor  = FALSE;
 }
 
 /*

sudo.c

@@ -400,7 +400,7 @@ main(argc, argv, envp)
 	}
 
 #ifdef HAVE_SYSTRACE 
-	if (ISSET(validated, FLAG_TRACE))
+	if (ISSET(validated, FLAG_MONITOR))
 	    systrace_attach(getpid());
 #endif
 

sudo.h

@@ -65,7 +65,7 @@ struct sudo_user {
 #define FLAG_NO_HOST		0x080
 #define FLAG_NO_CHECK		0x100
 #define FLAG_NOEXEC		0x200
-#define FLAG_TRACE		0x400
+#define FLAG_MONITOR		0x400
 
 /*
  * Pseudo-boolean values

sudo.tab.c

@@ -144,7 +144,7 @@ int top = 0, stacksize = 0;
 	match[top].runas  = UNSPEC; \
 	match[top].nopass = def_authenticate ? UNSPEC : TRUE; \
 	match[top].noexec = def_noexec ? TRUE : UNSPEC; \
-	match[top].trace  = def_trace ? TRUE : UNSPEC; \
+	match[top].monitor  = def_monitor ? TRUE : UNSPEC; \
 	top++; \
     } while (0)
 
@@ -154,13 +154,13 @@ int top = 0, stacksize = 0;
 	    while ((stacksize += STACKINCREMENT) < top); \
 	    match = (struct matchstack *) erealloc3(match, stacksize, sizeof(struct matchstack)); \
 	} \
-	match[top].user   = match[top-1].user; \
+	match[top].user     = match[top-1].user; \
-	match[top].cmnd   = match[top-1].cmnd; \
+	match[top].cmnd     = match[top-1].cmnd; \
-	match[top].host   = match[top-1].host; \
+	match[top].host     = match[top-1].host; \
-	match[top].runas  = match[top-1].runas; \
+	match[top].runas    = match[top-1].runas; \
-	match[top].nopass = match[top-1].nopass; \
+	match[top].nopass   = match[top-1].nopass; \
-	match[top].noexec = match[top-1].noexec; \
+	match[top].noexec   = match[top-1].noexec; \
-	match[top].trace  = match[top-1].trace; \
+	match[top].monitor  = match[top-1].monitor; \
 	top++; \
     } while (0)
 
@@ -266,8 +266,8 @@ typedef union {
 #define PASSWD 270
 #define NOEXEC 271
 #define EXEC 272
-#define TRACE 273
+#define MONITOR 273
-#define NOTRACE 274
+#define NOMONITOR 274
 #define ALL 275
 #define COMMENT 276
 #define HOSTALIAS 277
@@ -547,7 +547,7 @@ char *yyname[] =
 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
 "COMMAND","ALIAS","DEFVAR","NTWKADDR","NETGROUP","USERGROUP","WORD","DEFAULTS",
 "DEFAULTS_HOST","DEFAULTS_USER","DEFAULTS_RUNAS","RUNAS","NOPASSWD","PASSWD",
-"NOEXEC","EXEC","TRACE","NOTRACE","ALL","COMMENT","HOSTALIAS","CMNDALIAS",
+"NOEXEC","EXEC","MONITOR","NOMONITOR","ALL","COMMENT","HOSTALIAS","CMNDALIAS",
 "USERALIAS","RUNASALIAS","ERROR",
 };
 #if defined(__cplusplus) || defined(__STDC__)
@@ -617,8 +617,8 @@ char *yyrule[] =
 "cmndtag : cmndtag PASSWD",
 "cmndtag : cmndtag NOEXEC",
 "cmndtag : cmndtag EXEC",
-"cmndtag : cmndtag TRACE",
+"cmndtag : cmndtag MONITOR",
-"cmndtag : cmndtag NOTRACE",
+"cmndtag : cmndtag NOMONITOR",
 "cmnd : ALL",
 "cmnd : ALIAS",
 "cmnd : COMMAND",
@@ -873,11 +873,11 @@ list_matches()
 	else if (cm_list[count].noexecve == FALSE && def_noexec)
 	    (void) fputs("EXEC: ", stdout);
 
-	/* Is tracing enabled? */
+	/* Is monitoring enabled? */
-	if (cm_list[count].trace == TRUE && !def_trace)
+	if (cm_list[count].monitor == TRUE && !def_monitor)
-	    (void) fputs("TRACE: ", stdout);
+	    (void) fputs("MONITOR: ", stdout);
-	else if (cm_list[count].trace == FALSE && def_trace)
+	else if (cm_list[count].monitor == FALSE && def_monitor)
-	    (void) fputs("NOTRACE: ", stdout);
+	    (void) fputs("NOMONITOR: ", stdout);
 
 	/* Is a password required? */
 	if (cm_list[count].nopasswd == TRUE && def_authenticate)
@@ -1012,7 +1012,7 @@ expand_match_list()
     cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL;
     cm_list[cm_list_len].nopasswd = FALSE;
     cm_list[cm_list_len].noexecve = FALSE;
-    cm_list[cm_list_len].trace    = FALSE;
+    cm_list[cm_list_len].monitor  = FALSE;
 }
 
 /*
@@ -1391,7 +1391,7 @@ case 31:
 			    runas_matches = UNSPEC;
 			    no_passwd = def_authenticate ? UNSPEC : TRUE;
 			    no_execve = def_noexec ? TRUE : UNSPEC;
-			    trace_cmnd = def_trace ? TRUE : UNSPEC;
+			    monitor_cmnd = def_monitor ? TRUE : UNSPEC;
 			}
 break;
 case 32:
@@ -1706,10 +1706,10 @@ case 57:
 				    cm_list[cm_list_len].noexecve = TRUE;
 				else
 				    cm_list[cm_list_len].noexecve = FALSE;
-				if (trace_cmnd == TRUE)
+				if (monitor_cmnd == TRUE)
-				    cm_list[cm_list_len].trace = TRUE;
+				    cm_list[cm_list_len].monitor = TRUE;
 				else
-				    cm_list[cm_list_len].trace = FALSE;
+				    cm_list[cm_list_len].monitor = FALSE;
 			    }
 			}
 break;
@@ -1752,19 +1752,19 @@ break;
 case 62:
 #line 681 "parse.yacc"
 {
-			    trace_cmnd = TRUE;
+			    monitor_cmnd = TRUE;
 			    if (printmatches == TRUE && host_matches == TRUE &&
 				user_matches == TRUE)
-				cm_list[cm_list_len].trace = TRUE;
+				cm_list[cm_list_len].monitor = TRUE;
 			}
 break;
 case 63:
 #line 687 "parse.yacc"
 {
-			    trace_cmnd = FALSE;
+			    monitor_cmnd = FALSE;
 			    if (printmatches == TRUE && host_matches == TRUE &&
 				user_matches == TRUE)
-				cm_list[cm_list_len].trace = FALSE;
+				cm_list[cm_list_len].monitor = FALSE;
 			}
 break;
 case 64:

sudo.tab.h

@@ -14,8 +14,8 @@
 #define PASSWD 270
 #define NOEXEC 271
 #define EXEC 272
-#define TRACE 273
+#define MONITOR 273
-#define NOTRACE 274
+#define NOMONITOR 274
 #define ALL 275
 #define COMMENT 276
 #define HOSTALIAS 277

sudoers.pod

@@ -255,7 +255,7 @@ This flag is I<off> by default.
 
 =item mail_badpass
 
-Send mail to the I<mailto> user if the user running sudo does not
+Send mail to the I<mailto> user if the user running B<sudo> does not
 enter the correct password.  This flag is I<off> by default.
 
 =item mail_no_user
@@ -428,7 +428,7 @@ changes that behavior such that the real UID is left as the invoking
 user's UID.  In other words, this makes B<sudo> act as a setuid
 wrapper.  This can be useful on systems that disable some potentially
 dangerous functionality when a program is run setuid.  Note, however,
-that this means that sudo will run with the real uid of the invoking
+that this means that B<sudo> will run with the real uid of the invoking
 user which may allow that user to kill B<sudo> before it can log a
 failure, depending on how your OS defines the interaction between
 signals and setuid processes.
@@ -453,16 +453,16 @@ the --with-logincap option.  This flag is I<off> by default.
 
 =item noexec
 
-If set, all commands run via sudo will behave as if the C<NOEXEC>
+If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
 tag has been set, unless overridden by a C<EXEC> tag.  See the
 description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
 ESCAPES> section at the end of this manual.  This flag is I<off> by default.
 
-=item trace
+=item monitor
 
-If set, all commands run via sudo will behave as if the C<TRACE>
+If set, all commands run via B<sudo> will behave as if the C<MONITOR>
-tag has been set, unless overridden by a C<NOTRACE> tag.  See the
+tag has been set, unless overridden by a C<NOMONITOR> tag.  See the
-description of I<TRACE and NOTRACE> below as well as the L<PREVENTING
+description of I<MONITOR and NOMONITOR> below as well as the L<PREVENTING
 SHELL ESCAPES> section at the end of this manual.  Be aware that
 tracing is only supported on certain operating systems.  On systems
 where it is not supported this flag will have no effect.
@@ -475,7 +475,7 @@ This is intended for an Enterprises that wish to prevent the usage of local
 sudoers files so that only LDAP is used.  This thwarts the efforts of
 rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
 When this option is present, @sysconfdir@/sudoers does not even need to exist. 
-Since this options tells sudo how to behave when no specific LDAP entries
+Since this options tells B<sudo> how to behave when no specific LDAP entries
 have been matched, this sudoOption is only meaningful for the cn=defaults
 section.  This flag is I<off> by default.
 
@@ -647,7 +647,7 @@ The default value is I<@lecture@>.
 
 =item lecture_file
 
-Path to a file containing an alternate sudo lecture that will
+Path to a file containing an alternate B<sudo> lecture that will
 be used in place of the standard lecture if the named file exists.
 
 =item logfile
@@ -672,7 +672,7 @@ Flags to use when invoking mailer. Defaults to B<-t>.
 =item mailto
 
 Address to send warning and error mail to.  The address should
-be enclosed in double quotes (C<">) to protect against sudo
+be enclosed in double quotes (C<">) to protect against B<sudo>
 interpreting the C<@> sign.  Defaults to C<@mailto@>.
 
 =item exempt_group
@@ -801,7 +801,7 @@ B<notice>, and B<warning>.
  Runas_Spec ::= '(' Runas_List ')'
 
  Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
-	       'TRACE' | 'NOTRACE')
+	       'MONITOR' | 'NOMONITOR')
 
 A B<user specification> determines which commands a user may run
 (and as what user) on specified hosts.  By default, commands are
@@ -836,11 +836,11 @@ but  F</bin/kill> and F</usr/bin/lprm> as B<root>.
 
 A command may have zero or more tags associated with it.  There are
 four possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
-C<TRACE> and C<NOTRACE>.
+C<MONITOR> and C<NOMONITOR>.
 Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
 C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
-opposite tag (ie: C<PASSWD> overrides C<NOPASSWD> and C<NOTRACE>
+opposite tag (ie: C<PASSWD> overrides C<NOPASSWD> and C<NOMONITOR>
-overrides C<TRACE>).
+overrides C<MONITOR>).
 
 =head3 NOPASSWD and PASSWD
 
@@ -884,22 +884,22 @@ and F</usr/bin/vi> but shell escapes will be disabled.
 See the L<PREVENTING SHELL ESCAPES> section below for more details
 on how C<NOEXEC> works and whether or not it will work on your system.
 
-=head3 TRACE and NOTRACE
+=head3 MONITOR and NOMONITOR
 
 If B<sudo> has been configured with the C<--with-systrace> option,
-the C<TRACE> tag can be used to cause programs spawned by a command
+the C<MONITOR> tag can be used to cause programs spawned by a command
 to be checked against I<sudoers> and logged just like they would
 be if run through B<sudo> directly.  This is useful in conjunction
 with commands that allow shell escapes such as editors, shells and
 paginators.
 
 In the following example, user B<chuck> may run any command on the
-machine research with tracing enabled.
+machine research in monitor mode.
 
- chuck	research = TRACE: ALL
+ chuck	research = MONITOR: ALL
 
 See the L<PREVENTING SHELL ESCAPES> section below for more details
-on how C<TRACE> works and whether or not it will work on your system.
+on how C<MONITOR> works and whether or not it will work on your system.
 
 =head2 Wildcards
 
@@ -1244,7 +1244,7 @@ There are three basic approaches to this problem:
 Avoid giving users access to commands that allow the user to run
 arbitrary commands.  Many editors have a restricted mode where shell
 escapes are disabled, though B<sudoedit> is a better solution to
-running editors via sudo.  Due to the large number of programs that
+running editors via B<sudo>.  Due to the large number of programs that
 offer shell escapes, restricting users to the set of programs that
 do not if often unworkable.
 
@@ -1254,7 +1254,7 @@ Many systems that support shared libraries have the ability to
 override default library functions by pointing an environment
 variable (usually C<LD_PRELOAD>) to an alternate shared library.
 On such systems, B<sudo>'s I<noexec> functionality can be used to
-prevent a program run by sudo from executing any other programs.
+prevent a program run by B<sudo> from executing any other programs.
 Note, however, that this applies only to native dynamically-linked
 executables.  Statically-linked executables and foreign executables
 running under binary emulation are not affected.
@@ -1290,25 +1290,25 @@ executing other commands (such as a shell).  If you are unsure
 whether or not your system is capable of supporting I<noexec> you
 can always just try it out and see if it works.
 
-=item tracing
+=item monitor
 
 On operating systems that support the B<systrace> pseudo-device,
 the C<--with-systrace> configure option can be used to compile
-support for command tracing in B<sudo>.  With B<systrace> support
+support for proccess monitoring in B<sudo>.  In monitor mode
 B<sudo> can transparently intercept a new command, allow or deny
 it based on I<sudoers>, and log the result.  This does require that
 B<sudo> become a daemon that persists until the command and all its
-descendents have finished.
+descendents have exited.
 
-To enable tracing on a per-command basis, use the C<TRACE> tag as
+To enable monitor mode on a per-command basis, use the C<MONITOR>
-documented in the User Specification section above.  Here is that
+tag as documented in the User Specification section above.  Here
-example again:
+is that example again:
 
- chuck	research = TRACE: ALL
+ chuck	research = MONITOR: ALL
 
 This allows user B<chuck> to run any command on the machine research
-with tracing enabled.  Any commands run via shell escapes will be
+in monitor mode.  Any commands run via shell escapes will be logged
-logged by sudo.
+by B<sudo>.
 
 At the time of this writing the B<systrace> pseudo-device comes
 standard with OpenBSD and NetBSD and is available as patches to