Safeguard Audit Service Manual (G06.29+, H06.08+, J06.03+)
Specifying Auditing
Safeguard Audit Service Manual — 520480-031
2 - 13
Example
REMOTE
Remote attempts made by the user are recorded in the current audit file. (A remote
attempt is made by a network user logged on to a remote system.)
NONE
Attempts made by the user are not recorded in the current audit file unless auditing
is specified through other audit attributes. NONE is the default value for both
AUDIT-USER-ACTION-PASS and AUDIT-USER-ACTION-FAIL.
Example
This example specifies auditing for successful and unsuccessful remote events
performed by admin.chris:
=ALTER USER admin.chris, AUDIT-USER-ACTION-PASS remote, &
=AUDIT-USER-ACTION-FAIL remote
Performance Considerations
Use of the AUDIT-USER-ACTION attributes can dramatically increase the number of
audit records. Consider these issue before using AUDIT-USER-ACTION attributes:
•
Many system processes run as the super ID. Establishing AUDIT-USER-ACTION
for the super ID can have a severe impact on system performance.
•
What appears to be only one Safeguard event might actually consist of several
underlying events that involve the Safeguard subsystem. These underlying events
are also recorded in the audit trail whenever the subject of the event is the user
specified by AUDIT-USER-ACTION. Consequently, a higher than expected number
of audit records would be generated.
For example, if a user issues a SAFECOM INFO USER command, several
underlying events could take place on the user's behalf. The Safeguard subsystem
might be involved in a number of these events, including:
°
The attempt to run SAFECOM
°
The attempt to read the command from the user's terminal
°
The attempt to issue the INFO USER command
°
The attempt to write the output of the command to the user's terminal
°
Communication between SAFECOM and SPI