The major maintenance activity is the archiving of audit information. Due to the fact that breaches in security are not always detected while they occur, it is recommended that all audit event log files be archived. An archived log file may prove to be valuable in analyzing a security problem. Audit event log files should not be deleted from archival media (for example, tape). If you must delete old log files to provide room for archiving newer log files, you should examine the old audit data very carefully before deleting it, making sure there are no unusual patterns of activity.
This section describes how to archive audit information. The audit information consists of two basic sets of data:
You can archive audit information with the cpio(1) command.
The cpio command archives a file when you use the -o (copy out) option. The standard input is assumed to be a list of path names of files that will be archived. The output of the command is copied to standard out unless the -O option is used to specify an output file.
In the following example, the
command generates a list of the audit event log files
It is assumed that all the log files
have the node name
so that the command
list the names of all the log files.
The following command copies all the log files to
/bin/ls /var/audit/*beowulf | /bin/cpio -o -O /dev/rmt/c0s0
In the next example, the
following command will copy the audit map files to
/bin/ls /var/audit/auditmap | /bin/cpio -o -O /dev/rmt/c0s0
For further information, see cpio(C).
You should label the archival medium so that you will know the dates covered by the archived audit event log files.