|
|
The major maintenance activity is the archiving of audit information. Due to the fact that breaches in security are not always detected while they occur, it is recommended that all audit event log files be archived. An archived log file may prove to be valuable in analyzing a security problem. Audit event log files should not be deleted from archival media (for example, tape). If you must delete old log files to provide room for archiving newer log files, you should examine the old audit data very carefully before deleting it, making sure there are no unusual patterns of activity.
This section describes how to archive audit information. The audit information consists of two basic sets of data:
It is necessary to archive both sets of data, otherwise you may get misleading information if you process a log file with audit map files that does not reflect the system that generated the log file.You can archive audit information with the cpio(1) or the tcpio(1) command.
The cpio and tcpio commands archive a file when you use the -o (copy out) option. The standard input is assumed to be a list of path names of files that will be archived. The output of the command is copied to standard out unless the -O option is used to specify an output file.
In the following example, the
ls
command generates a list of the audit event log files
contained in
/var/audit
directory.
It is assumed that all the log files
have the node name
beowulf,
so that the command
ls /var/audit/*beowulf
will
list the names of all the log files.
The following command copies all the log files to
the device
/dev/rmt/c0s0.
/bin/ls /var/audit/*beowulf | /bin/cpio -o -O /dev/rmt/c0s0
The following example shows use of the
tcpio
command to copy all of the log files to the device
/dev/rmt/c0s0.
/bin/ls /var/audit/*beowulf | /bin/tcpio -o -O /dev/rmt/c0s0
In the next example, the
following command will copy the audit map files to
the device
/dev/rmt/c0s0.
/bin/ls /var/audit/auditmap | /bin/cpio -o -O /dev/rmt/c0s0
The following example illustrates the use of
tcpio
to archive the audit map files.
/bin/ls /var/audit/auditmap | /bin/tcpio -o -O /dev/rmt/c0s0
For further information on the use of these commands, see cpio(1) and tcpio(1).
You should label the archival medium so that you will know the dates covered by the archived audit event log files.