Planning Space for Audit Records
Storing audit records on a non-networked workstation involves setting up at least two local partitions dedicated to audit records, one primary and one backup, and planning a maintenance schedule.
Storing audit records for a network of workstations involves setting up a local (backup) partition dedicated to audit records, plus a network of audit servers with partitions for remote (primary) audit storage, and plus an audit administration server from which the entire audit trail can be monitored. The audit trail is every audit file (audit files hold audit records generated on a workstation) created by every workstation on the network.
Planning Space on a Non-Networked Workstation
On a non-networked workstation, plan the size of a disk partition to hold audit records. For efficiency, it is best to place the audit records on a separate disk. For safety, you may want to create two audit partitions on that disk, one as the primary storage area and the other as a backup if the first partition gets full. Set filesystem security attributes to set on the audit directory to prevent snooping on the audit trail.
-
Estimate the volume of auditing between audit record backups.
Balance your security needs against the availability of disk space for audit trail storage.
A rule of thumb is to assign 200 MB of space per workstation. However, the disk space requirements for the workstation are based on how much auditing you perform and may be far greater than this figure.
"Controlling Audit Costs "and "Auditing Efficiently" provide guidance on how to reduce storage requirements.
-
Decide at what point the audit file system sends a warning that it is filling up.
You will specify what is called the minfree limit for audit partitions in the audit_control file. This is the percentage of disk space remaining when the audit administrator is sent an email message (by the audit_warn alias) that the disk is getting full. The default is to send the warning when there is 20% disk space remaining. This percentage is tunable.
Planning Space on a Network of Workstations
A networked system should include audit servers to store audit files for users' workstations, an audit administration server for central audit analysis and backup, and a local audit partition on every workstation. You may want to set filesystem security attributes on the directories and mount points to prevent snooping on the audit trail. Create a worksheet to record your auditing plan, or use another mechanism that helps you track the auditing network that you set up.
-
Determine how much auditing your site needs to do.
Balance your site's security needs against the availability of disk space for audit trail storage.
A rule of thumb is to assign 200 MB of space for each workstation that will be on the distributed system, but remember that the disk space requirements at your site is based on how much auditing you perform and may be far greater than this figure per workstation. If you are able to dedicate a local and a remote disk for auditing, one way to set up audit partitions is to divide each disk into two partitions.
"Controlling Audit Costs "and "Auditing Efficiently" provide guidance on how to reduce storage requirements while still maintaining site security.
-
Decide at what point each audit file system for the workstation sends a warning that it is filling up.
You will specify what is called the minfree limit for audit partitions in the audit_control file. This is the percentage of disk space remaining when the audit administrator is sent an email message (by the audit_warn alias) that the disk is getting full. The default is to send the warning when there is 20% disk space remaining. This percentage is tunable.
-
Determine which workstations will be audit servers.
The system administrator and you will install these workstations before installing the audit client workstations.
-
Plan a local audit partition for each workstation.
The local partition provides a backup in cases where the audit server's partitions are full or when the network is unreachable.
-
Determine which clients will use which audit file systems on which audit server.
Lay out the auditing network. The following figure shows an audit server, egret, with file systems /etc/security/audit/egret[.n]/files available to store remote hosts' audit records.
Figure 2-1 Audit Server egret's Audit File Systems
-
Follow the naming conventions for audit file systems.
As illustrated in the figure, the convention for naming the audit file systems on a workstation is:
/etc/security/audit/workstationname/files /etc/security/audit/workstationname.1/files /etc/security/audit/workstationname.2/files /etc/security/audit/workstationname.3/files ...
For an explanation of the naming scheme, see "Audit Storage".
- © 2010, Oracle Corporation and/or its affiliates