Planning Space on a Network of Workstations

A networked system should include audit servers to store audit files for users' workstations, an audit administration server for central audit analysis and backup, and a local audit partition on every workstation. You may want to set filesystem security attributes on the directories and mount points to prevent snooping on the audit trail. Create a worksheet to record your auditing plan, or use another mechanism that helps you track the auditing network that you set up.

1. Determine how much auditing your site needs to do.

   Balance your site's security needs against the availability of disk space for audit trail storage.

   A rule of thumb is to assign 200 MB of space for each workstation that will be on the distributed system, but remember that the disk space requirements at your site is based on how much auditing you perform and may be far greater than this figure per workstation. If you are able to dedicate a local and a remote disk for auditing, one way to set up audit partitions is to divide each disk into two partitions.

   "Controlling Audit Costs "and "Auditing Efficiently" provide guidance on how to reduce storage requirements while still maintaining site security.

2. Decide at what point each audit file system for the workstation sends a warning that it is filling up.

   You will specify what is called the minfree limit for audit partitions in the audit_control file. This is the percentage of disk space remaining when the audit administrator is sent an email message (by the audit_warn alias) that the disk is getting full. The default is to send the warning when there is 20% disk space remaining. This percentage is tunable.

3. Determine which workstations will be audit servers.

   The system administrator and you will install these workstations before installing the audit client workstations.

4. Plan a local audit partition for each workstation.

   The local partition provides a backup in cases where the audit server's partitions are full or when the network is unreachable.

5. Determine which clients will use which audit file systems on which audit server.

   Lay out the auditing network. The following figure shows an audit server, egret, with file systems /etc/security/audit/egret[.n]/files available to store remote hosts' audit records.

   Figure 2-1 Audit Server egret's Audit File Systems

   
   

6. Follow the naming conventions for audit file systems.

   As illustrated in the figure, the convention for naming the audit file systems on a workstation is:

   /etc/security/audit/workstationname/files
   /etc/security/audit/workstationname.1/files
   /etc/security/audit/workstationname.2/files
   /etc/security/audit/workstationname.3/files ...

   For an explanation of the naming scheme, see "Audit Storage".