[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

System Management Guide: Operating System and Devices

Setting Up Auditing


The following is an overview of the steps you must take to set up an auditing subsystem. Refer to the configuration files noted in these steps for more specific information.

  1. Select system activities (events) to audit from the list in the /etc/security/audit/events file or edit the file to add a new event.
  2. Group your selected audit events into sets of similar items called audit classes. Define these audit classes in the classes stanza of the /etc/security/audit/config file.
  3. Assign the audit classes to the individual users and assign audit events to the files (objects) that you want to audit, as follows:
  4. Configure the type of data collection that you want, using BIN collection, STREAM collection, or both methods:
  5. When you have finished making any necessary changes to the configuration files, you are ready to enable the audit subsystem using the audit command.

Selecting Audit Events

The purpose of an audit is to detect activities that might compromise the security of your system. When performed by an unauthorized user, the following activities violate system security and are candidates for an audit:

To audit an activity, you must identify the command or process that initiates the audit event and ensure that the event is listed in the /etc/security/audit/events file for your system. Then you must add the event either to an appropriate class in the /etc/security/audit/config file, or to an object stanza in the /etc/security/audit/objects file. See the /etc/security/audit/events file on your system for the list of audit events and trail formatting instructions. See the auditpr command for a description of how audit event formats are written and used.

Once you have selected the events to audit, you need to combine similar events into audit classes, as described in the section on selecting audit classes. Audit classes are then assigned to users.

Selecting Audit Classes

You can facilitate the assignment of audit events to users by combining similar events into sets called audit classes. These audit classes are defined in the classes stanza of the /etc/security/audit/config file.

Some typical audit classes might be:

general General events alter the state of the system and change user authentication. Audit attempts to circumvent system access controls.
system Events in the system group modify user and group accounts and install programs.
init Events in the init group are generated by the init program and its immediate descendants, the login and cron programs.

An example of a stanza in the /etc/security/audit/config file follows:

general = USER_SU,PASSWORD_Change,FILE_Unlink,
system = USER_Change,GROUP_Change,USER_Create,
init = USER_Login,USER_Logout

Selecting an Audit Data Collection Method

Your selection of a data collection method depends on how you intend to use the audit data. If you need long-term storage of a large amount of data, select bin collection. If you want to process the data as it is collected, select stream collection. If you need both long-term storage and immediate processing, select both methods.

Bin collection Bin collection lets you store a large audit trail for a long time. Audit records are written to a file that serves as a temporary bin. After the file is filled, the data is processed by the auditbin daemon, and records are written to an audit trail file for storage.
Stream collection Stream collection lets you process audit data as it is collected. Audit records are written into a circular buffer within the kernel, and are retrieved by reading /dev/audit. The audit records can be displayed, printed to provide a paper audit trail, or converted into bin records by the auditcat command.

[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]