Overview of the auditing subsystem

The purpose of auditing

An auditing facility records information about actions that may affect the security of a computer system. In particular, an auditing facility records any action by any user that may represent a breach of system security. For each action, the auditing facility records enough information about those actions to verify

the user who performed the action
the exact date and time it was performed
the success or failure of the action
the name, type, device, inode and the filesystem ID of any data object involved

The presence of auditing may also deter attempted security breaches, which can allow you to take action to contain the problem. Even if you do not detect a security breach as it occurs, you can use the audit trail to determine the extent of any security problems and to recover from them.

In most cases, security breaches are detected by patterns of usage, not by single actions. A single failed login on a terminal, for example, may indicate that a user had trouble typing a password correctly. Several failed logins on a terminal may indicate that a malicious user is trying to guess a password. To detect such patterns, you often need to record many events that are a normal part of daily activity on the system.