Safeguard Audit Service Manual (G06.24+, H06.03+)
Specifying Auditing
Safeguard Audit Service Manual—520480-014
2-12
Example
NONE
Attempts made by the user are not recorded in the current audit file unless auditing
is specified through other audit attributes. NONE is the default value for both
AUDIT-USER-ACTION-PASS and AUDIT-USER-ACTION-FAIL.
Example
This example specifies auditing for successful and unsuccessful remote events
performed by admin.chris:
=ALTER USER admin.chris, AUDIT-USER-ACTION-PASS remote, &
=AUDIT-USER-ACTION-FAIL remote
Performance Considerations
Use of the AUDIT-USER-ACTION attributes can dramatically increase the number of
audit records. Consider these issue before using AUDIT-USER-ACTION attributes:
•
Many system processes run as the super ID. Establishing AUDIT-USER-ACTION
for the super ID can have a severe impact on system performance.
•
What appears to be only one Safeguard event might actually consist of several
underlying events that involve the Safeguard subsystem. These underlying events
are also recorded in the audit trail whenever the subject of the event is the user
specified by AUDIT-USER-ACTION. Consequently, a higher than expected number
of audit records would be generated.
For example, if a user issues a SAFECOM INFO USER command, several
underlying events could take place on the user's behalf. The Safeguard subsystem
might be involved in a number of these events, including:
°
The attempt to run SAFECOM
°
The attempt to read the command from the user's terminal
°
The attempt to issue the INFO USER command
°
The attempt to write the output of the command to the user's terminal
°
Communication between SAFECOM and SPI
Shorthand for Audit Attributes
You can use a shortened form of the audit attributes under most circumstances when
you are specifying the same conditions for different audit attributes. For example,
consider this command:
=ALTER DISKFILE $home.annual.report, &
=AUDIT-MANAGE-PASS all
=AUDIT-MANAGE-FAIL all
=AUDIT-ACCESS-PASS all
=AUDIT-ACCESS-FAIL all