Audit subsystem

Edit online

There are several procedures to help protect the audit subsystem.

  • Configure the audit subsystem to record all the relevant security activities of the users. To ensure that the file space needed for auditing is available and is not impaired by other consumers of file system space, set up a dedicated file system for audit data.
  • Protect audit records (such as audit trails, bin files, and all other data stored in /audit) from non-root users.
  • For the BAS/EAL4+ system, bin mode auditing must be set up when the audit subsystem is used. For information about how to set up the audit subsystem, refer to Setting up auditing.
  • At least 20 percent of the available disk space in a system should be dedicated to the audit trail.
  • If auditing is enabled, the binmode parameter in the start stanza in the /etc/security/audit/config file should be set to panic. The freespace parameter in the bin stanza should be configured at minimum to a value that equals 25 percent of the disk space dedicated to the storage of the audit trails. The bytethreshold and binsize parameters should each be set to 65 536 bytes.
  • Copy audit records from the system to permanent storage for archival.