Novell Documentation: NetWare 6 - Protecting Audit Data on Removable Media

Protecting Audit Data on Removable Media

AUDITCON provides a mechanism for backing up old volume and container audit files to removable media (diskette, tape, and so forth) and then deleting those files from the server to free up audit space.

Procedures for backing up audit files are given in Using AUDITCON for Volume Auditing, Using AUDITCON for Container Auditing, and Using AUDITCON to Audit External Audit Trails. However, once the file is copied from the server's protected file system to removable media, you must use other means to ensure that the Trusted Computing Base audit data is not compromised. Table 4 shows the two methods available:

Table 4. Protecting Audit Data

Physical protection of removable media

You must physically protect the removable media that contain the offline files to ensure that unauthorized users (anyone except an auditor) do not read or modify the audit data.

When you no longer need an offline audit file, either overwrite the data on the removable media or destroy the media itself. Do not place media containing audit files back in rotation for use by other users.

Protection of offline data

When you use AUDITCON to create an offline audit data file, the offline audit data file contains an indicator of what the corresponding Audit File object was. When you use AUDITCON to process that offline audit data file, AUDITCON examines the Audit File object and determines whether you still have sufficient rights to see the data. If you don't, you won't be able to see the contents of the offline audit data file.

Note: This protection mechanism does not replace physical protection as the primary means of protecting offline audit data. An individual who obtains the offline audit data might disable the check performed by AUDITCON or use another utility which does not perform this check. You must not rely on this mechanism to protect your offline audit data.