Manualshelf

User`s guide

ManualsBrandsProtogate ManualsComputer equipmentFreeway 3112
11121314151617181920
Chapter 5. Auditing Protogate Freeway Security Features User’s Guide (SFUG)
echo "#" >> /etc/security/audit_user
fi
# Start the kernel-level audit daemon.
/usr/sbin/auditd
# Add posixrules file to prevent creating unnecessary audit records
if [ -f /usr/share/zoneinfo/posixrules ]; then
echo "posixrules file exists."
else
if [ -f /read_only_mounts ]; then
mount -u -o rw /usr 2>/dev/null
fi
mkdir /usr/share/zoneinfo
chmod 755 /usr/share/zoneinfo
touch /usr/share/zoneinfo/posixrules
chmod 444 /usr/share/zoneinfo/posixrules
if [ -f /read_only_mounts ]; then
mount -u -o ro /usr 2>/dev/null
fi
fi
That example would cause all loggable system-level events to be written to a file in the /var/audit/ directory. For
a description of the format of the /etc/security/audit_user file, run man audit_user. For the available
event types, see the /etc/security/audit_class and /etc/security/audit_event files.
Once auditing is running, the root or shell user can use a command like praudit -l /var/audit/current to see
the audit entries, or praudit -l /dev/auditpipe to continually see the latest entries as they appear.
Because that /var/audit/ directory would continue to fill with system-level event audit records, and would
eventually fill the filesystem where it exists, removing and archiving the audit logs is also important. Section 5.2
shows how to configure a Freeway to automatically maintain the audit log files, to archive them and prevent them
from filling a filesystem.
Another auditd configuration example is in
Section 6.9. More information about auditing and auditd
configuration is available by logging into a Freeway with any user account and typing any of these commands: man
audit, man auditd, man audit_class, man audit_event, man audit_user, or man praudit.
5.2. Maintaining Audit Trail Logs
To setup a Freeway to maintain the audit files automatically, compressing and archiving each file when it becomes
full, the Freeway can use the audit_warn capability. That capability is controlled and configured by the
/etc/security/audit_warn file, and will be run automatically whenever the current system-level audit file
becomes full.
Figure 5-2 shows lines which could be added to a Freeway’s
/usr/local/freeway/boot.src/rc.startsra file to archive and maintain the audit logs:
Figure 5-2. Archive the Audit Files
if [ 6 = ‘cat /etc/security/audit_warn |wc -l‘ ]; then
echo "#" >> /etc/security/audit_warn
16 Protogate DC-908-3004A