Workstations are Being Audited Differently
If you change audit configuration files on one workstation and fail to copy the files to the other workstations on the network, the workstations will be audited differently. Therefore,
-
As role secadmin, at label
admin_low, copy the audit configuration files from a central location to every workstation.Follow the procedure in "To Distribute Audit Configuration Files to a Network of Workstations".
-
Check that the audit class mappings for attributable and nonattributable events match the kernel cache.
To Set Audit Class Mappings for Attributable Events
-
First, as role secadmin at label
admin_low, check to see if the kernel preselection mask matches the class mappings in the flags: field of the audit_control(4) file by issuing the command:
$ auditconfig -chkconf
-
If the runtime class mappings differ from the kernel cache, issue the command:
$ auditconfig -conf
To Set Audit Class Mappings for Non-Attributable Audit Events
-
First, as role secadmin at label
admin_low, check to see if the kernel preselection mask matches the nonattributable events in the naflags: field of the audit_control(4) file by issuing the command:
$ auditconfig -getkmask
If they differ, issue the command:
$ auditconfig -setkmaskac |
- © 2010, Oracle Corporation and/or its affiliates