What Should I Audit?

What Should I Audit?

You can audit all system activity or certain types of activity, such as file removal or access denial. Users are tracked through the audit trail by User ID (UID) numbers. Any audited activity is associated with the UID of the person who performed that action. It is a central feature of the System Audit Trail that though the effective UID changes with the use of the su command, the SAT ID does not. All of a user's actions after logging in are audited at the original login UID.

When you select the type of activities to audit, there are still several options for auditing. For example, if you wish to monitor the removal of files, you can generate an audit record under two conditions:

when the action fails (sat_access_denied, sat_access_failed)
when the action succeeds (sat_file_crt_del, sat_file_crt_del2)

Many different types of activities take place on your trusted computer system. There are login attempts, file manipulations, use of devices (such as printers and tape drives), and administrative activity. Within this list of general activities, you may choose to audit many specific kinds of actions.

Below is a list of auditable actions with a short definition of each action and one or more of the appropriate event types that can be audited. Important actions contain a note that they should always be audited:

login and logout (sat_ae_identity)
Any login attempt, whether successful or not, should be audited. Also, an audit record should be generated when the user logs out of the system.
su (sat_check_priv, sat_ae_identity)
Whenever a user invokes the su command, whether to super-use some administrative account, such as root or another user account, the event should be audited. This is especially true for unsuccessful attempts, as they may indicate attempts at unauthorized access.
chlabel and newlabel (file_attr_write, sat_proc_own_attr_write)
Any time a user changes a MAC label on a Trusted IRIX/B system, it is wise to make an audit record of the event. (This does not happen under standard IRIX.)
password change (sat_ae_identity)
Whenever a user changes his or her password, it is wise to make an audit record of the event.
administrative activity (sat_ae_mount, sat_clock_set, sat_hostid_set, etc)
Any activity related to system administration should be carefully audited; for example, editing the /etc/fstab file.
DAC permissions change (sat_fd_attr_write, sat_file_attr_write)
When a user invokes the chmod command to change the DAC permissions on a file or the chown command to change the ownership of a file.
file creation (sat_file_crt_del, sat_file_crt_del2)
Whenever a new link, file, or directory is created.
file deletion (sat_file_crt_del, sat_file_crt_del2)
Whenever a link, file, or directory is removed.
process activity (sat_exec, sat_exit, sat_fork)
When a new process is created, forked, exited, or killed.

The audit administrator (auditor) can change the audited events by entering a new sat_select command. It is possible to change the selected event types at different times of day, by using the cron utility to execute sat_select periodically.

To tailor your auditing for your specific needs, use the sat_select or satconfig utilities.