Preventing Audit Trail Overflow

When all audit file systems for a workstation fill up, the audit_warn script sends a message to the console that the hard limit has been exceeded on all audit file systems and also sends mail to the alias. By default, the audit daemon remains in a loop sleeping and checking for space until some space is freed. All auditable actions are suspended. The audit policy ahlt is in effect.

Site security policy may allow a different solution. There are other candidates: preventing overflow and keeping a count of dropped audit records.

If your security policy requires that overflow be prevented so that no audit data is ever lost, see "To Prevent Audit Trail Overflow by Planning Ahead".

The audit system can be configured to discard audit records upon overflow of the kernel audit buffer. Such a configuration does not constitute an evaluated configuration of the system, and the system should be configured to suspend upon overflow of the audit buffer.

If your security policy permits the loss of some audit data rather than suspending system activities due to audit trail overflow. In that case, you can set the auditconfig policy to drop or count records. See "To Handle an Audit Filesystem Overflow" for how to drop or count records.

If your security policy requires you to handle filesystem overflow by halting the affected workstation, you must enter the workstation in single-user mode. This is not a secure practice. See "To Handle an Audit Filesystem Overflow" for the procedure.

To Prevent Audit Trail Overflow by Planning Ahead

If your security policy requires that all audit data be saved, do the following:

1. Set up a schedule to regularly archive audit files and to delete the archived audit files from all audit file systems.

   The schedule must allow files to be deleted from the system before the hard limit of the system is reached. Scripts, including modified audit_warn scripts, can automatically move audit files to a separate disk before archiving.

2. Manually archive audit files by backing them up on tape or moving them to an archive file system.

3. Store context-sensitive information that will be needed to interpret audit records along with the audit trail.

   For example, the current list of users and passwords, the directory listings on the workstations, and other volatile information should be saved.

4. Keep records of what audit files are moved off line.

5. Store the archived tapes appropriately.

6. Reduce the volume of audit data you store by creating summary files.

   You can extract summary files from the audit trail using options to auditreduce, so that the summary files contain only records for certain specified types of audit events. An example of this would be a summary file containing only the audit records for all logins and logouts. See Chapter 3, Audit Trail Management and Analysis.

To Handle an Audit Filesystem Overflow

To set the audit policy that a count of audit records is kept when the audit file systems are full, as role secadmin, at label admin_low:

$ auditconfig -setpolicy +cnt

To run auditing in an evaluated configuration, you cannot have the +cnt policy turned on. It must be turned off.

To set the audit policy that the workstation is shut down when its audit file systems are full:

$ auditconfig -setpolicy +ahlt

To set one of the above policies permanently, enter the command in the audit_startup(1M) script. See "To Set Audit Policy Permanently" for how to edit the script.

On a distributed system, the same audit policy should be applied to all workstations.