By merging all audit files in all the audit directories, you can analyze the contents of the entire audit trail. The auditreduce command merges all the records from its input files into a single output file. The input files can then be deleted. When the output file is placed in a directory that is named /etc/security/auditserver-name/files, the auditreduce command can find the output file without your specifying the full path.
Assume a role that includes the Audit Review profile, or become superuser.
The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).
Create a directory for storing merged audit files.
# mkdir audit-trail-directory
Limit access to the directory.
# chmod 700 audit-trail-directory
# ls -la audit-trail-directory
drwx------ 3 root sys 512 May 12 11:47 .
drwxr-xr-x 4 root sys 1024 May 12 12:47 ..
Merge the audit records in the audit trail.
Change directories to the audit-trail-directory and merge the audit records into a file with a named suffix. All directories that are listed in the dir lines of the audit_control file on the local system are merged.
# cd audit-trail-directory
# auditreduce -Uppercase-option -O suffix
The uppercase options to the auditreduce command manipulate files in the audit trail. The uppercase options include the following:
No comments:
Post a Comment