Safeguard Audit Service Manual (G06.29+, H06.08+, J06.03+)
Safeguard Audit Service Manual — 520480-031
1 - 1
1 Introduction
The ability to track security-relevant events on your system is one of the most
important aspects of computer security. The Safeguard audit service allows you to
record and retrieve information about a wide range of events.
Audited events are recorded in the Safeguard audit files, collectively referred to as the
audit trail. You can retrieve information about audited events by using SAFEART, the
Safeguard Audit File Reduction Tool.
Events Controlled by the Safeguard
Subsystem
The Safeguard subsystem generates audit records for the events it controls. Although
you must specify Safeguard audit attributes to record many types of events, some
events are recorded regardless of Safeguard settings.
Safeguard Events That Must Be Specified
You can specify auditing for some security-relevant events by setting audit attributes in
various Safeguard records. You can select local events, remote events, or both local
and remote events, to specify auditing for events. The following events must have
auditing specified to be recorded in the Safeguard audit trail:
•
Authenticating users
•
Accessing objects
•
Creating or managing (change, delete, or read) Safeguard protection records
•
Creating, changing, or deleting Safeguard GROUP records
•
Automatic logoffs that occur if you logon at a logged terminal
You can specify most of these event
s either individually or systemwide. For example,
auditing for an individual disk file is specified in the disk file's protection record, but
auditing for all disk files on the system is specified through Safeguard configuration
attributes. Systemwide settings supplement any settings specified in individual
protection records.
For a complete discussion on how to specify all types of auditing, see Section
2,
Specifying Auditing.