Configuring auditing

Specifying an alternate log file

As previously mentioned, both the auditlog command and the parameters in the /etc/default/audit file may be used to establish continuous auditing. The -A and -a options of the auditlog command set the log full condition to SWITCH and allows the administrator to specify an alternate log file and alternate node name. The -A option, like the -P, requires the absolute pathname of either a directory or special character device that already exists. The -a option, like the -p, requires a character string of less than eight characters and must not contain the character slash (/).

The -n option allows the administrator to specify a program to be executed when the primary log file becomes full. The argument to the -n option must be an absolute pathname to either a shell script or binary executable. If not, one of the following error messages will be displayed:

   full pathname not specified
   program name is not an executable file
In the following example, the auditlog command is used to specify a maximum log file size, a log full condition of SWITCH, the location of the alternate log file, and a program to be executed.

auditlog -x 100 -A /var/audit -n /etc/security/audit/auditmail

The primary log file is created in the directory specified by the AUDIT_DEFPATH parameter. In this case, the default directory /var/audit is assigned to AUDIT_DEFPATH. The -x option limits the size of the audit event log file to 100 blocks. Limiting the size of the log file is necessary because the alternate log file (specified by the -A option) is in the same filesystem as the primary log file. If the -x option were not used, the primary log file would grow until there was no more room on the filesystem. It would then be impossible to open the alternate log file, and audit data could be lost. The value chosen for -x depends on the amount of free space available in the filesystem that contains the audit event log file.

When the primary log file reaches 100 blocks, the log full condition occurs and the auditing subsystem creates a new log file in the directory specified by the -A option. This file will have a sequence number one greater than that of the old primary log file, if the log switch occurs on the same day that the primary log was created. For example, if the old primary log is /var/audit/0415477 and if the day is still April 15, the new log file is /var/audit/0415478. When the new log file has been opened successfully, the program specified by the -n option is executed. In this case, /etc/security/audit/auditmail is a simple shell script created by the audit administrator that sends mail to the user auditor. The script might contain a command similar to the following:

   /usr/bin/mailx -s 'Audit log switch occurred' auditor < /dev/null > /dev/null

Upon receiving the mail from the script, you would archive the old audit event log file, then delete it to restore space in the /var/audit directory. You might also want to archive the audit map files at the same time. ``Displaying audit trail information'' includes a detailed discussion of the audit map files.

Upon completion of a log switch the values set by the previous invocation of auditlog are lost. In the example above, the maximum file size would return to its default setting of zero and the log full condition, alternate log file and the program settings would revert back to the values assigned to the parameters AUDIT_LOGFULL, AUDIT_DEFPATH and AUDIT_PGM, respectively. If the AUDIT_LOGFULL parameter was set to SWITCH and the AUDIT_PGM parameter to the path name of the program to be invoked, you will need to only reissue the auditlog command to set the maximum log file size.

This scheme requires a great deal of attention from the audit administrator. For example, if a log switch occurs at night or when the audit administrator is busy, the alternate log file may become full before the old primary log is archived. To avoid these problems, you can use the -n option to specify a program that will automatically archive the old log file, remove the old log file to free up storage space, and then reissue the auditlog command to reset any log file attributes that changed during the log switch. Therefore, continuous auditing and maintaining the audit event log file can be largely automated.

Next topic: Displaying auditing subsystem settings
Previous topic: Specifying continuous auditing

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005