Audit records are stored in audit files on a
Audit files are stored in binary format, although you can export them to XML.
The audit file system switches storage between two partitions. Audit records are stored in one partition until it becomes full, then new records are stored in the other partition. Records in a full partition can be moved to a remote location, according to the audit policy.
If audit policy or network problems impede remote storage, the system generates an alarm. You can clear space by manually transferring the files to remote storage or by deleting them. Until you clear space, new records are dropped.
Because local space is limited to 4 megabytes, the partitions fill up quickly. If you do not configure audit policy to automatically transfer files to remote storage, you will have to intervene frequently or begin to drop records. If you are unable to maintain consistent audit trails, the utility of the audit system is limited. Typically, you either set up sufficient remote space and automatic transfers or disable the audit capability.
Audit EventsAudit events are:
■Changes to the Service Processor configuration, for example, an IP address change
■Any request to perform an operation on an object protected by the access control policy
■All use of authentication
■Tests of password strength, for example, tests done by the password command to check whether a password contains enough non alphabetical characters
■Modifications to the access control attributes associated with an object, for example, changes to controls on which domains a board might be in
■Changes made to user security attributes, for example, password or privileges
■Reading information from the audit records (including unsuccessful attempts)
■Modifications to the audit policy
■Actions taken due to the exceeding of a audit trail size threshold
■Actions taken due to audit storage failure
■Modifications made by administrators to the audit trail
66 SPARC Enterprise Mx000 Servers Administration Guide • November 2007