DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Auditable events

Deciding which events to audit

To determine which events to audit, start by auditing all events for a reasonable period of time (a few days, for example). At the end of that time, examine the audit event log files in detail to see the following:

By looking at actual activity at your site, you can determine whether recording an event produces useful information or not. You can then decide whether you want to continue auditing the events. Auditing subsystems for trusted computer systems are expected to be able to record a variety of different actions. These actions are listed below, along with the specific selectable events corresponding to these actions in the auditing subsystem.

Even if you need to minimize the amount of data recorded, consider auditing the following set of events:


Previous topic: Event classes

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005