Planning Space on a Network of Hosts

Storing audit records for a network of hosts involves setting up a local (backup) partition dedicated to audit records, plus a network of audit servers with partitions for remote (primary) audit storage, and plus an audit administration server from which the entire audit trail can be monitored. The audit trail is every audit file (audit files hold audit records generated on a system) created by every system on the network.

A networked system should include audit servers to store audit files for users' systems, an audit administration server for central audit analysis and backup, and a local audit partition on every host. You may want to set filesystem security attributes on the directories and mount points to prevent snooping on the audit trail. Create a worksheet to record your auditing plan, or use another mechanism that helps you track the auditing network that you set up.

1. Determine how much auditing your site needs to do.

   Balance your site's security needs against the availability of disk space for audit trail storage.

   A rule of thumb is to assign 200 MB of space for each host that will be on the distributed system, but remember that the disk space requirements at your site is based on how much auditing you perform and may be far greater than this figure per host. If you are able to dedicate a local and a remote disk for auditing, one way to set up audit partitions is to divide each disk into two partitions.

   Controlling Audit Costs and Auditing Efficiently provide guidance on how to reduce storage requirements while still maintaining site security.

2. Decide at what point each audit file system for the system sends a warning that it is filling up.

   You will specify what is called the minfree limit for audit partitions in the audit_control file. This is the percentage of disk space remaining when the audit administrator is sent an email message (by the audit_warn alias) that the disk is getting full. The default is to send the warning when there is 20% disk space remaining. This percentage is tunable.

3. Determine which hosts will be audit servers.

   The install team will install these systems before installing the audit client systems.

4. Plan a local audit partition for each system.

   The local partition provides a backup in cases where the audit server's partitions are full or when the network is unreachable.

5. Determine which clients will use which audit file systems on which audit server.

   Lay out the auditing network. The following figure shows an audit server, egret, with file systems /etc/security/audit/egret[.n]/files available to store remote hosts' audit records.

   Figure 2–1 Audit Server egret's Audit File Systems

   
   

6. Follow the naming conventions for audit file systems.

   As illustrated in the figure, the convention for naming the audit file systems on a system is:

   /etc/security/audit/system_name/files
   /etc/security/audit/system_name.1/files
   /etc/security/audit/system_name.2/files
   /etc/security/audit/system_name.3/files …
   

   For an explanation of the naming scheme, see Audit Storage.