SunSHIELD Basic Security Module Guide

Preventing Audit Trail Overflow

If all audit file systems fill up, the audit_warn script sends a message to the console that the hard limit has been exceeded on all audit file systems and also sends mail to the alias. By default, the audit daemon remains in a loop sleeping and checking for space until some space is freed. All auditable actions are suspended.

A site's security requirements may be such that the loss of some audit data is preferable to having system activities suspended due to audit trail overflow. In that case, you can build automatic deletion or moving of audit files into the audit_warn script or set the auditconfig policy to drop records.

How to Prevent Audit Trail Overflow

If your security policy requires that all audit data be saved, do the following:

  1. Set up a schedule to regularly archive audit files and to delete the archived audit files from the audit file system.

  2. Manually archive audit files by backing them up on tape or moving them to an archive file system.

  3. Store context-sensitive information that will be needed to interpret audit records along with the audit trail.

  4. Keep records of what audit files are moved off line.

  5. Store the archived tapes appropriately.

  6. Reduce the volume of audit data you store by creating summary files.

    You can extract summary files from the audit trail using options to auditreduce, so that the summary files contain only records for certain specified types of audit events. An example of this is a summary file containing only the audit records for all logins and logouts. See Chapter 3, Audit Trail Analysis.