1.Configure the users you want to audit using the userdbset command. For more information on configuring auditing for users, refer to “Auditing Users”.
2.Configure the events you want to edit using the audevent command. For example, to configure the admin, login, and moddac events for auditing, enter the following command:
# audevent -P -F -e admin -e login -e moddac
Use the audevent command with no options to display a list of events and system calls that are currently configured for auditing.
For more information on configuring auditing for events, refer to “Auditing Events”.
3.Set the audevent argument parameters in the /etc/rc.config.d/auditing file to enable the auditing system to retain the current configuration parameters when the system is rebooted. For example to retain the parameters configured in step 2, set the parameters as follows:
AUDEVENT_ARGS1 = -P -F -e admin -e login -e moddac
4.Start the auditing system and define the log files using the audsys command. For example:
#audsys -n -c primary_audit_file -s 1000
5.Set up your log files and log file switch parameters in the /etc/rc.config.d/auditing file. Follow these steps:
a.Set PRI_AUDFILE to the name of your primary audit log file.
b.Set PRI_SWITCH to the maximum size of your primary audit log file (in KB), at which audit logging switches to the auxiliary log file.
c.Set SEC_AUDFILE to the name of your auxiliary log file.
d.Set SEC_SWITCH to the maximum size of your secondary audit log file (in KB).
For more information about setting up primary and auxiliary audit log files, refer to “Audit Log Files”.
6.Set the AUDIT flag to 1 in the /etc/rc.config.d/auditing file to enable the auditing system to retain the current event configuration when the system is rebooted.
Step 3: Monitoring Audit Files
To view, monitor, and administer your audit files, follow these steps:
1.View the audit log files with the audisp command:
#audisp audit_file
Refer to “Viewing Audit Logs” for details on using the audisp command.
2.Monitor the sizes of the log files with the audomon command:
#audomon -p 20 -t 1 -w 90
The audomon command also monitors the capacity of the file system on which the audit file is located. The audomon command takes the following arguments:
| The minimum percentage of space left on the file system that contains the |
| primary audit log file before the auditing system switches to the auxiliary |
| log file. The default fss value is 20%. |
The minimum wakeup interval, in minutes, at which the system prints | |
| warning messages for audit log file switch points on the console. The default |
| sp_freq value is 1 minute. |
The percentage of audit log file space used or minimum file system free | |
| space used after which warning messages are sent to the console. The |
| default warning value is 90% |
Refer to audomon(1M) for more information.
76 Standard Mode Security Extensions
