| |
The server is installed with auditing disabled for each volume. You must enable volume auditing to begin accumulating volume audit data.
The first time you enable auditing, AUDITCON creates an Audit File object for the volume audit trail. This Audit File object remains in place when you disable auditing.
A common usage profile is to enable auditing once, then leave auditing enabled while you configure (and reconfigure, as necessary) the specific volume events, users, directories, and files you want to audit.
Run AUDITCON at a trusted workstation.
AUDITCON displays the current server and volume in the header area at the top of the screen.
Choose the server and volume to be audited, as described in Selecting an Alternate Server and in Choosing an Alternate Volume.
To enable auditing of a volume, choose Enable volume auditing in the Available audit options menu.
This option is available only in menu 102 (when auditing is not already enabled for the volume). AUDITCON checks the volume's Audit File Link to determine whether the current volume already has an Audit File object; if so, then AUDITCON continues with Step 5.
If the volume does not have an Audit File object (for example, auditing was not previously enabled for this volume), AUDITCON creates an Audit File object in the NDS container where the volume is stored.
The name of the Audit File object is AFOid_volname, where id is a counter used if there is already an object with the desired name, and volname is the name of the volume.
For example, if the volume name is ALPHA_SYS.ACME, then the Audit File object is named AFO0_ALPHA_SYS.ACME, or if that object already exists, then AFO1_ALPHA_SYS.ACME.
NOTE: If the concept of an independent auditor (Independent Control of Different Audit Trails) is important to you, you might want to set the Access Control List and Inherited Rights Filter for the Audit File object to prevent access by administrators who are not auditors, as described in Creating the Auditor Account.
AUDITCON then builds links from the Audit File object and Volume object to each other.
As described in Controlling Access to Online Audit Data, the server gives you the Supervisor object right to the Audit File object, and the Write right to the ACL property. In addition, AUDITCON gives you Read and Write rights to the Audit File object Audit Policy property, and the Read right to the Audit Contents property. See Controlling Access to Online Audit Data for information on giving other auditors rights to the Audit File object.
AUDITCON enables auditing for the volume and returns to menu 101.
NOTE: When auditing is enabled for the first time on a volume, there are no events, files, or users selected. You should continue by using menu 497, 498, or 499 to select the desired audit events, files, and users.
When the server creates the audit file, it defines a password hash that cannot be matched by a hashed password submitted by AUDITCON. If you want to permit password-based access to the volume audit files, you must (1) set the console parameter ALLOW AUDIT PASSWORDS=ON and (2) use AUDITCON (Auditing configuration menu, Change audit password or Set audit password submenu) to set an audit password for the audit files.
| |