Auditing a Workstation

Auditing is set per workstation by the security administrator in the file audit_control. This file on each workstation is read by the audit daemon (see the audit_control(4) man page). The audit_control file is located in the /etc/security directory.

A separate audit_control file is maintained on each workstation because the dir: lines, and perhaps the minfree: line are specific to the workstation. In a distributed system, the other lines should be identical.

You specify four kinds of information in four kinds of lines in the audit_control file:

• The audit flags line (flags:) contains the audit flags that define what classes of events are audited for all users on the workstation. The audit flags specified here are referred to as the machine-wide audit flags or the machine-wide audit preselection mask. Audit flags are separated by commas, with no spaces.

• The nonattributable flags line (naflags:) contains the audit flags that define what classes of events are audited when an action cannot be attributed to a specific user. The flags are separated by commas, with no spaces.

• The audit threshold line (minfree:) defines the minimum free-space level for all audit file systems. See "What Makes a Directory Suitable for Storing Audit Data".

  The minfree percentage must be greater than or equal to 0. The default is 20 percent.

• The directory definition lines (dir:) define which audit file systems and directories the workstation will use to store its audit trail files.

  There may be one or more directory definition lines. The order of the dir: lines is significant, because the auditd command opens audit files in the directories in the order specified (see the audit(1M) man page). The first audit directory specified is the primary audit directory for the workstation, the second is the secondary audit directory where the audit daemon puts audit trail files when the first one fills, and so forth.

The security administrator modifies the default audit_control file during the configuration process on each workstation.

After the audit_control file is configured, the security administrator on a distributed system distributes it to the other workstations. After any change in the file, the administrator runs audit -s on every workstation on the network to instruct the audit daemon to reread its audit_control file.

The audit -s command does not change the preselection mask for existing processes. Use auditconfig, setaudit (see the getauid(2) man page), or auditon(2) for existing processes.

Sample audit_control File

Following is a sample audit_control file for the workstation willet. willet uses two audit file systems on the audit server egret, and a third audit file system mounted from the audit administration server audubon, which is used to store audit records only when the audit file system on egret fills up or is unavailable. The minfree value of 20 percent specifies that the warning script (see the audit_warn(1M) man page) is run when the file systems are 80 percent filled and the audit data for the current workstation will be stored in the next available audit directory, if any. The flags specify that all logins and administrative operations are to be audited (whether or not they succeed), and that failures of all types except failures to create a file system object are to be audited.

flags:lo,ad,-all,^-fc
naflags:lo,nt
minfree:20
dir:/etc/security/audit/egret/files
dir:/etc/security/audit/egret.1/files
#
# Audit filesystem used when egret fills up
#
dir:/etc/security/audit/audubon