Audit events selection

The purpose of an audit is to detect activities that might compromise the security of your system.

When performed by an unauthorized user, the following activities violate system security and are candidates for an audit:

Engaging in activities in the Trusted Computing Base
Authenticating users
Accessing the system
Changing the configuration of the system
Circumventing the auditing system
Initializing the system
Installing programs
Modifying accounts
Transferring information into or out of the system

The audit system does not have a default set of events to be audited. You must select events or event classes according to your needs.

To audit an activity, you must identify the command or process that initiates the audit event and ensure that the event is listed in the /etc/security/audit/events file for your system. Then you must add the event either to an appropriate class in the /etc/security/audit/config file, or to an object stanza in the /etc/security/audit/objects file. See the /etc/security/audit/events file on your system for the list of audit events and trail formatting instructions. For a description of how audit event formats are written and used, see the auditpr command.

After you have selected the events to audit, you must combine similar events into audit classes. Audit classes are then assigned to users.

Audit classes selection

You can facilitate the assignment of audit events to users by combining similar events into audit classes. These audit classes are defined in the classes stanza of the /etc/security/audit/config file.

Some typical audit classes might be as follows:

general: Events that alter the state of the system and change user authentication. Audit attempts to circumvent system access controls.
objects: Write access to security configuration files.
kernel: Events in the kernel class are generated by the process management functions of the kernel.

An example of a stanza in the /etc/security/audit/config file is as follows:

classes:
    general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename
    system = USER_Change,GROUP_Change,USER_Create,GROUP_Create
    init = USER_Login,USER_Logout

Audit data-collection method selection

Your selection of a data-collection method depends on how you intend to use the audit data. If you need long-term storage of a large amount of data, select BIN collection. If you want to process the data as it is collected, select STREAM collection. If you need both long-term storage and immediate processing, select both methods. A description of each of these methods follows:

Bin collection: Allows storage of a large audit trail for a long time. Audit records are written to a file that serves as a temporary bin. After the file is filled, the data is processed by the auditbin daemon while the audit subsystem writes to the other bin file, and records are written to an audit trail file for storage.
Stream collection: Allows processing of audit data as it is collected. Audit records are written into a circular buffer within the kernel, and are retrieved by reading /dev/audit. The audit records can be displayed, printed to provide a paper audit trail, or converted into bin records by the auditcat command.