Safeguard Audit Service Manual (G06.24+, H06.03+)
Safeguard Audit Service Manual—520480-014
1-1
1 Introduction
The ability to track security-relevant events on your system is one of the most
important aspects of computer security. The Safeguard audit service allows you to
record and retrieve information about a wide range of events.
Audited events are recorded in the Safeguard audit files, collectively referred to as the
audit trail. You can retrieve information about audited events by using SAFEART, the
Safeguard audit file reduction tool.
Events Controlled by the Safeguard
Subsystem
The Safeguard subsystem generates audit records for the events it controls. Although
you must specify Safeguard audit attributes to record many types of events, some
events are recorded regardless of Safeguard settings.
Safeguard Events That Must Be Specified
You specify auditing for some security-relevant events by setting audit attributes in
various Safeguard records. When specifying auditing for events, you can select local
events, remote events, or both local and remote events. These types of events must
have auditing specified to be recorded in the Safeguard audit trail:
•
Attempts to authenticate users
•
Attempts to access objects
•
Attempts to create or manage (change, delete, or read) Safeguard protection
records
•
Attempts to create, change, or delete Safeguard GROUP records
•
Automatic logoffs that occur if a user logs on at an already logged on terminal
You can specify most of these events either individually or systemwide. For example,
auditing for an individual disk file is specified in the disk file's protection record, but
auditing for all disk files on the system is specified through Safeguard configuration
attributes. Systemwide settings supplement any settings specified in individual
protection records.
For a complete discussion on how to specify all types of auditing, see Section 2,
Specifying Auditing.