System Administration Guide: Security Services

Cost of Storage of Audit Data

Storage cost is the most significant cost of auditing. The amount of audit data depends on the following:

Because these factors vary from site to site, no formula can determine in advance the amount of disk space to set aside for audit data storage.

Full auditing, that is, with the all flag, fills up disks quickly. Even a simple task such as compiling a program could generate a large audit file. A program of modest size could generate thousands of audit records in less than a minute. For example, the audit trail of a program of five files and 5000 lines would occupy many megabytes of disk space. You judiciously use the preselection features to reduce the volume of records that are generated. For example, by omitting the fr class, you can reduce the audit volume by more than two-thirds. Efficient audit file management is also important. After the audit records are created, file management reduces the amount of storage that is required.

Before you configure auditing, you should understand the audit flags. You should understand the types of events that the flags audit. Develop a philosophy of auditing for your site that is based on sensible measures. Such measures include the amount of security that your site requires, and the types of users that you administer.