Maintaining the auditing system

Archiving audit information

The major maintenance activity is the archiving of audit information. Due to the fact that breaches in security are not always detected while they occur, it is recommended that all audit event log files be archived. An archived log file may prove to be valuable in analyzing a security problem. Audit event log files should not be deleted from archival media (for example, tape). If you must delete old log files to provide room for archiving newer log files, you should examine the old audit data very carefully before deleting it, making sure there are no unusual patterns of activity.

This section describes how to archive audit information. The audit information consists of two basic sets of data:

It is necessary to archive both sets of data, otherwise you may get misleading information if you process a log file with audit map files that does not reflect the system that generated the log file.

You can archive audit information with the cpio(1) command.

The cpio command archives a file when you use the -o (copy out) option. The standard input is assumed to be a list of path names of files that will be archived. The output of the command is copied to standard out unless the -O option is used to specify an output file.

In the following example, the ls command generates a list of the audit event log files contained in /var/audit directory. It is assumed that all the log files have the node name beowulf, so that the command ls /var/audit/*beowulf will list the names of all the log files. The following command copies all the log files to the device /dev/rmt/c0s0.

/bin/ls /var/audit/*beowulf | /bin/cpio -o -O /dev/rmt/c0s0

In the next example, the following command will copy the audit map files to the device /dev/rmt/c0s0.

/bin/ls /var/audit/auditmap | /bin/cpio -o -O /dev/rmt/c0s0

For further information, see cpio(C).

You should label the archival medium so that you will know the dates covered by the archived audit event log files.

Next topic: Recovering audit information from system memory
Previous topic: Maintaining the auditing system

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005