How to Create Audit Partitions and Export Them

1. Assign at least one primary audit directory to each machine.

   The primary audit directory is the directory where a machine places its audit files under normal conditions.

2. Assign at least one secondary audit directory to each machine that is located on a different audit file server than the primary directory.

   The secondary audit directory is where a machine places audit files if the primary directory is full or inaccessible, because of network failure, NFS server crash, or some other reason.

3. On every diskfull machine create a local audit directory of last resort (preferably a dedicated audit file system) that is used when the network is inaccessible or the primary and secondary directories are unusable.

4. Spread the directories used as primary and secondary destinations evenly over the set of audit servers in the system.

5. Create audit file systems according to the requirements discussed in this section.

   The /etc/security directory contains subdirectories with all the audit files and also contains several other files related to audit control. Because the /etc/security directory contains the per-machine audit_data file, which must be available for successful startup of the audit daemon at boot time, the /etc/security directory must be part of the root file system.

   The audit post-selection tools look in directories under /etc/security/audit by default. For this reason, the path name of the mount point for the first audit file system on an audit server is in the form: /etc/security/audit/server-name (where server-name is the name of the audit server). If more than one audit partition is on an audit server, the name of the second mount point is: /etc/security/audit/server-name.1, the third is /etc/security/audit/server-name.2, and so forth.

   For example, the names of the audit file systems available on the audit server winken are /etc/security/audit/winken and /etc/security/audit/winken.1.

   On the audit server, each audit file system must also have a subdirectory named files. This files subdirectory is where the audit files are located and where the auditreduce commands looks for them. For example, the audit file system on audit server winken should have a files subdirectory whose full path name is: /etc/security/audit/winken/files.

   You should make sure that the local audit_control file on each machine tells the audit daemon to put the audit files in the files subdirectory. Here is the dir: line for the audit_control file on a machine mounting the audit file system from eagle:

   dir: /etc/security/audit/eagle/files

   The extra level of hierarchy is required to prevent a machine's local root file system from filling with audit files when (for whatever reason) the /etc/security/audit/server-name[.suffix] directory is not available on the audit server. Because the files subdirectory is present on the audit server and there should be no files subdirectory on any of the clients, audit files cannot be created unintentionally in the local mount-point directory if the mount fails.

   Make sure that each audit directory contains nothing except audit files.

6. Assign the required permissions to the audit file systems.

   The permissions that must appear on the /etc/security/audit/server-name directory and the files directory that must be created beneath it on the audit server are shown in Table 2-5.

   Table 2-5 Audit File Permissions

   Owner	Group	Permissions
   root	staff	2750

Example audit_control File Entries

When you add the dir: entries in the audit_control file, make sure the full path down to the files subdirectory is specified. The following example shows an audit_control file dir: entry for the server blinken, which will be storing its audit files on its own local disk.

# cat /etc/security/audit_control
dir:/etc/security/audit/blinken.1/files
dir:/etc/security/audit/blinken.2/files