Administrator's Guide
1. Determine which users to audit. By default, all users are selected for auditing.
2. Determine which events or system calls to audit. Use the audevent command to
display a list of events and system calls that are currently selected for auditing.
Events and system calls can be grouped into profiles. For more information on
profiles, see Section 9.4.
3. Decide where you want to place the audit log files (audit trails) on the system. For
more information on configuring the audit log files, see Section 9.5.
4. Create a strategy to archive and back up audit files. Audit files can take up a
considerable amount of disk space and can overflow the file system partition if you
do not carefully plan file management. Use the -X option with the audomon
command to automate archiving.
For additional information about auditing system performance and administration that
can help you plan the auditing implementation, see Section 9.2.5 and Section 9.2.6.
9.2.2 Enabling Auditing
To enable auditing on the system, follow these steps:
1. Configure the users you want to audit using the userdbset command. For more
information on configuring auditing for users, see Section 9.3.
2. Configure the events you want to audit using the audevent command. For example,
to audit according to MySitePolicy, enter the following command:
# audevent -P -F -r MySitePolicy
MySitePolicy must be defined in the /etc/audit/audit_site.conf file.
Use the audevent command with no options to display a list of events and system
calls that are currently configured for auditing.
For more information on configuring auditing for events, see Section 9.4.
3. Set the audevent argument parameters in the /etc/rc.config.d/auditing
file to enable the auditing system to retain the current configuration parameters when
the system is rebooted. For example to retain the parameters configured in step 2,
set the parameters as follows:
AUDEVENT_ARGS1 = –P –F –r MySitePolicy
4. Start the auditing system and define the audit trail(s) using the audsys command:
#audsys -n -c
primary_audit_file
-s 1000
For more information on configuring audit trails, see Section 9.5.1.
5. Set up the log files and log file switch parameters in the /etc/rc.config.d/
auditing file. Follow these steps:
a. Set PRI_AUDFILE to the name of the primary audit log file.
b. Set PRI_SWITCH to the maximum size of the primary audit log file (in KB), at
which audit logging switches to the auxiliary log file.
174 Audit Administration