Safeguard Audit Service Manual (G06.24+, H06.03+)
Safeguard Audit Service Manual—520480-014
3-1
3 Managing the Audit Trail
This section describes the components of the Safeguard audit trail and how to manage
them with the audit service commands.
The Safeguard audit trail consists of one or more audit pools. An audit pool is a
subvolume that contains audit files. You can define multiple audit pools, and each audit
pool can contain several individual audit files. These audit files contain records of
audited events. To manage the audit trail, you use a set of restricted audit commands
to perform these functions:
•
Create audit pools and define the size and location of audit files.
•
Select the current audit pool and, optionally, the next audit pool to be used.
•
Open, close, and purge audit files.
•
Specify audit recovery actions if access to the audit trail is interrupted.
•
Obtain status information.
About the Audit Trail
Audit records are written into the security audit trail as they are received by the
Safeguard audit service. The security audit trail is composed of one or more audit
pools. The term audit pool refers to a disk subvolume that contains two or more disk
files, called audit files, to which the audit records are actually written. The name of the
audit pool is the same as the name of the corresponding subvolume.
The audit service can maintain several audit pools, but only one is the currently active
audit pool. Using the SELECT command, you designate the currently active audit pool
and, optionally, select the next audit pool to be used. When you select the current audit
pool, the Safeguard software automatically begins writing audit records to the first
available file in that audit pool.
The current audit file continues to receive audit records until it is full, a NEXTFILE
command is issued, or the Safeguard subsystem is stopped and restarted. In any of
these cases, the audit service opens the next available file in the current audit pool and
begins writing records to it.
If you use the SELECT command to designate the next audit pool, the audit service
switches to that audit pool whenever the current audit pool becomes filled or
inaccessible.
The audit service automatically manages audit file names and handles the naming of
audit files. It generates sequential audit file names for the files in each audit pool
beginning with file A0000000. For more information about audit file naming, the audit
file structure, and audit record formats, see Appendix A, Audit File Record Formats.
With one exception, security audit pools are specified by the user with the ADD AUDIT
POOL command. The exception is that the audit service creates an audit pool on
$SYSTEM.SAFE as the initial member of the audit trail. $SYSTEM.SAFE is initially