Deciding which events to audit

To determine which events to audit, start by auditing all events for a reasonable period of time (a few days, for example). At the end of that time, examine the audit event log files in detail to see the following:

• which events occur most frequently

• which events seem to reveal unusual patterns

• which events seem to give the most information about important actions at your site

• use of identification and authentication mechanisms

  The corresponding events are bad_auth, cron, login and passwd. The set_uid event, though not in the set of user identification and authentication events, also provides information on the identity of the user executing a process.

• actions of computer operators and system administrators

  The corresponding events are acct_off, acct_on, acct_sw, file_priv, lp_admin, mk_node, mount, sched_lk, sched_fp, sched_fc, sched_rt, sched_ts, setrlimit, tfadmin, ulimit, and umount. In addition, all the fixed events provide information in this area.

• production of printed output

  The corresponding event is prt_job; the cancel_job event also provides useful information in this area.

• introduction of objects into a user's address space

  The corresponding events are the interprocess communication events and the create, link, mk_dir, open_rd, open_wr, and sym_create events.

• deletion of objects from a user's address space

  The corresponding events are unlink and rm_dir.

• all security-relevant events

  The definition of a security-relevant event varies, depending on the needs of a site. Of the events not listed above, the pm_denied event and the events associated with DAC will probably be relevant to the security of most sites.

Even if you need to minimize the amount of data recorded, consider auditing the following set of events:

• All events relating to system configuration activities

• All events relating to use of privileges

• All events relating to user identification and authentication

• The set_uid event.