In the /etc/security/audit_class file, define the classes needed at your site.
If the default classes are suitable, you do not need to define new ones. See the audit_class(4) man page.
Set up event-to-class mapping in /etc/security/audit_event.
This step is not needed if the default mapping suits your site's needs. See the audit_event(4) man page.
Determine how much auditing your site needs to do.
Balance your site's security needs against the availability of disk space for audit trail storage.
See "Controlling Audit Costs", "Auditing Efficiently", and "Learning About the Audit Trail" for guidance on how to reduce storage requirements while still maintaining site security as well as how to design audit storage.
Determine which machines will be audit servers and which will be clients of the audit servers.
Determine the names and locations of audit file systems.
Plan which machines will use which audit file systems on the audit servers.
After dealing with storage, decide who and what to audit.
Determine which audit classes you want to be audited system-wide and which flags to use to select the audit classes.
Determine if some users will be audited more than others, then decide which flags to use to modify user's audit characteristics.
When the amount of space available goes below the minfree percentage, the audit daemon switches to the next suitable audit file system and send a notice that the soft limit has been exceeded. (What makes an audit file system suitable is defined in "What Makes a Directory Suitable".)
A certain amount of auditing is configured by default on each machine. The default audit_control file contains the lines shown in Table 2-6, which set the audit directory as /var/audit, one system-wide audit flag (lo), a minfree threshold of 20 percent, and one nonattributable flag.Table 2-6 audit_control File Entries
dir:/var/audit flags:lo minfree:20 naflags:ad
Edit the /etc/security/audit_control file.
Specify which audit file systems to use for audit trail storage on this machine.
Make a dir: entry for each audit directory available to the current machine. See "Learning About the Audit Trail" for how to set up the audit directory scheme for the distributed system.
Specify the system-wide audit flags that will apply to all users' processes in the flags: field.
The system-wide audit flags in the flags: field will apply to all users' processes, and you should set the flag the same on every machine.
Change the minfree percentage, if desired, to reduce or enlarge the audit threshold.
Specify the naflags: that will apply to events that cannot be attributed to a particular user.
Use auditconfig to modify the audit policy if modification is desired.
See the auditconfig(1M) man page or "The auditconfig Command". The policy variable is a dynamic kernel variable, so its value is not saved when the system is brought down. Therefore, you should set the desired policy using the appropriate startup script.
In the event of an audit trail overflow, either the cnt policy must be enabled, which allows further system functioning, or an account must be available that can work without being audited. To set up such an account:
In the /etc/passwd file, add the following entry.
This entry must be placed below the entry for the root user for processes owned by root to function properly.
To add a corresponding entry into the /etc/shadow file, type the following.
# pwconv pwconv: WARNING user audit has no password
The password for the audit account will be established in Step d.
In the /etc/security/audit_user file, add the following entry to turn off auditing for the account.
Set a password for the new account using passwd.
# passwd audit
Remember that actions taken through this account are not audited. To protect system integrity, choose a password that is not easily compromised. This example uses an account name of audit. Choose a name more appropriate for your site if you set up such an account.