You need to protect the directory where the cache files are stored so that events aren’t tampered with. You can secure the cache files in the logevent.cfg file with the setting of LogCacheSecure=Always. Additionally, you should verify that only the appropriate rights are granted to the folder where the cache file is stored.
Each Novell Audit server platform requires different steps to protect the cache files, which are discussed below.
To protect the cache file:
Determine the location for the cache file.
On NetWare, the default location for the cache file is sys:/etc/logcache. You can change the location of the logcache folder by using the logevent.cfg file. Consider changing the location of the cache file if the sys: volume has a limited amount of space.
Use file system trustees to restrict access to the cache folder.
On NetWare, no user objects need to have access to the cache folder.
Using iManager or another management tool, set up an inherited rights filter that restricts all rights, other than supervisor, to this folder.
Because lcache runs on the local server, it has the access it needs to maintain this folder without any additional user rights.
It is not possible to filter the Supervisor inheritance on files in a file system. Users with Supervisor rights to sys:/system can still access the cache files. Therefore grant Supervisor access to objects and volumes sparingly.
To protect the cache file:
Determine the location for the cache file.
The default location for the cache file is \program files\novell\nsure audit\logcache. You can change the location of the logcache folder by using the logevent.cfg file. Consider changing the location of the cache file if the System volume (the disk where Windows is installed) has a limited amount of space.
Use file system trustees to restrict access to the cache folder.
Lcache is generally started by system services, such as eDirectory or the Novell Audit log parser. SYSTEM needs to have read and write rights to the lcache folder. No other users should be granted access to this file.
On Linux and Solaris, the default location for the cache files is /var/opt/novell/naudit/cache. The cache files are created with rw access granted only to root. You do not need to perform any additional tasks to secure the cache files.