Rolling out the auditing plan to the systems is a job coordinated by the system administrator, who sets up the disks and the network of audit storage, and the security administrator, who decides what is to be audited and enters the information in the audit configuration files. Together, you want to set up an audited network of systems where:
From one host, the audit analyst is able to read every audit file on every host in the network, and the system operator is able to back up every audit file on every host on the network.
How: Create an administration server, and mount all audit directories on the server.
The audit trail is not available for snooping.
How: Protect audit directories with appropriate discretionary access controls and mandatory access controls. You may want to audit directory access.
Each host in a Trusted Solaris distributed system is writing records to the audit trail from the first time it is in multiuser mode, and thereafter.
How: Create audit servers before you create user systems. On all systems, create a dedicated audit partition during installation.
Every system is audited identically.
How: Create a central location for all audit configuration files that are not controlled by the Solaris Management Console: audit_event, audit_class, audit_control, audit_startup, and audit_warn. The examples use the directory /export/home/tmp on the NIS+ master. Copy these files to a tape or diskette that is copied to every system.
When an end user's system is configured, it is able to immediately send its audit records to an audit server.
How: Create the audit servers and configure them for receiving audit records before the end user systems are set up. Create a procedure to copy the system-wide audit configuration files to each host and to modify the audit_control file for the audit storage locations for that host.
End user's systems are not slowed down by writing audit records.
How: Regular archiving of the audit trail frees up audit server disk space. Placing the local audit storage on a separate or little-used disk will enable the end user to work quickly when audit records are stored locally.