The techniques in this section can help you achieve your organization's security goals while auditing more efficiently:
Randomly audit only a certain percentage of users at any one time
Reduce the disk-storage requirements for audit files by combining, reducing, and compressing the files. Develop procedures for archiving the files, for transferring the files to removable media, and for storing the files offline.
Monitor the audit data in real time for unusual behaviors. You can set up procedures to monitor the audit trail as the trail is generated for certain activities. You can write a script to trigger an automatic increase in the auditing of certain users or certain machines in response to detection of unusual events.
For example, write a script that (1) monitors the creation of audit files on all the audit file servers, and (2) processes them with the tail command. See the tail(1) man page. Pipe the output of tail -0f through the praudit command. The command yields a stream of audit records as the records are generated. This stream can be analyzed for unusual message types or other indicators, and delivered to the auditor. Or, the script can be used to trigger automatic responses.
In addition, the script should include code that (3) constantly monitors the audit directories for the appearance of new not_terminated audit files. The script should (4) also terminate outstanding tail processes when their files are no longer being written to.