In a CAPP environment, the audit trail is considered so important
that access to system resources must be denied if an audit trail
cannot be created. In this environment, it would be suggested
that /var/log/audit be on its own partition. This is to ensure
that space detection is accurate and that no other process comes
along and consumes part of it.
The flush parameter should be set to sync or data.
Max_log_file and num_logs need to be adjusted so that you get
complete use of your partition. It should be noted that the more
files that have to be rotated, the longer it takes to get back to
receiving audit events. Max_log_file_action should be set to
keep_logs.
Space_left should be set to a number that gives the admin enough
time to react to any alert message and perform some maintenance
to free up disk space. This would typically involve running the
aureport -t
report and moving the oldest logs to an archive area.
The value of space_left is site dependent since the rate at which
events are generated varies with each deployment. The
space_left_action is recommended to be set to email. If you need
something like an snmp trap, you can use the exec option to send
one.
Admin_space_left should be set to the amount of disk space on the
audit partition needed for admin actions to be recorded.
Admin_space_left_action would be set to single so that use of the
machine is restricted to just the console.
The disk_full_action is triggered when no more room exists on the
partition. All access should be terminated since no more audit
capability exists. This can be set to either single or halt.
The disk_error_action should be set to syslog, single, or halt
depending on your local policies regarding handling of hardware
malfunctions.
Specifying a single allowed client port may make it difficult for
the client to restart their audit subsystem, as it will be unable
to recreate a connection with the same host addresses and ports
until the connection closure TIME_WAIT state times out.
Auditd events are made up of one or more records. The auditd
system cannot guarantee that the set of records that make up an
event will occur atomically, that is the stream will have
interleaved records of different events, IE
event0_record0
event1_record0
event2_record0
event1_record3
event2_record1
event1_record4
event3_record0
The auditd system does not guarantee that the records that make
up an event will appear in order. Thus, when processing event
streams, we need to maintain a list of events with their own list
of records hence List of List (LOL) event processing.
When processing an event stream we define the end of an event via
record type = AUDIT_EOE (audit end of event type record),
or
record type = AUDIT_PROCTITLE (we note the AUDIT_PROCTITLE
is always the last record), or
record type = AUDIT_KERNEL (kernel events are one record
events), or
record type < AUDIT_FIRST_EVENT (only single record events
appear before this type), or
record type >= AUDIT_FIRST_ANOM_MSG (only single record
events appear after this type), or
record type >= AUDIT_MAC_UNLBL_ALLOW && record type <=
AUDIT_MAC_CALIPSO_DEL (these are also one record events),
or
for the stream being processed, the time of the event is
over end_of_event_timeout seconds old.