DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Maintaining the auditing system

Archiving audit information

The major maintenance activity is the archiving of audit information. Due to the fact that breaches in security are not always detected while they occur, it is recommended that all audit event log files be archived. An archived log file may prove to be valuable in analyzing a security problem. Audit event log files should not be deleted from archival media (for example, tape). If you must delete old log files to provide room for archiving newer log files, you should examine the old audit data very carefully before deleting it, making sure there are no unusual patterns of activity.

This section describes how to archive audit information. The audit information consists of two basic sets of data:

It is necessary to archive both sets of data, otherwise you may get misleading information if you process a log file with audit map files that does not reflect the system that generated the log file.

You can archive audit information with the cpio(1) or the tcpio(1) command.

The cpio and tcpio commands archive a file when you use the -o (copy out) option. The standard input is assumed to be a list of path names of files that will be archived. The output of the command is copied to standard out unless the -O option is used to specify an output file.

In the following example, the ls command generates a list of the audit event log files contained in /var/audit directory. It is assumed that all the log files have the node name beowulf, so that the command ls /var/audit/*beowulf will list the names of all the log files. The following command copies all the log files to the device /dev/rmt/c0s0.

/bin/ls /var/audit/*beowulf | /bin/cpio -o -O /dev/rmt/c0s0

The following example shows use of the tcpio command to copy all of the log files to the device /dev/rmt/c0s0.

/bin/ls /var/audit/*beowulf | /bin/tcpio -o -O /dev/rmt/c0s0

In the next example, the following command will copy the audit map files to the device /dev/rmt/c0s0.

/bin/ls /var/audit/auditmap | /bin/cpio -o -O /dev/rmt/c0s0

The following example illustrates the use of tcpio to archive the audit map files.

/bin/ls /var/audit/auditmap | /bin/tcpio -o -O /dev/rmt/c0s0

NOTE: The example above would also archive the old audit map files (audit map files that have the prefix ``o''). If you do not want the old audit map files on your archive tape, you should either remove them before creating the archive or use a file list as input to the cpio or tcpio command.

For further information on the use of these commands, see cpio(1) and tcpio(1).

You should label the archival medium so that you will know the dates covered by the archived audit event log files.

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004