This chapter describes the System Audit Trail for the user. There is no interface to allow users to alter or read the audit trail; it is accessible only to the audit administrator. This chapter explains what is happening within the audit system and how it applies to the ordinary user.
The System Audit Trail (SAT) is a subsystem that allows the site administrators to make a record of all system activity. The ongoing record of system activity shows general trends in system usage, and also violations of the security policy. The site administrators can monitor all system activity through the audit trail. There are many different types of activities that take place on a trusted computer system. There are login attempts, file manipulations, use of devices (such as printers and tape drives), and administrative activity. All of these activities can be logged and reviewed through the System Audit Trail.
It is vitally important to remember that the System Audit Trail does not exist to allow users to spy on one another, nor does it exist as a mechanism to entrap users. The Audit Trail exists as a means to locate intentional violations of security policy.
The Audit Trail is generated by additional code in the operating system kernel that notes specific important events, such as file creation, file changes, file removal, invocation of programs, and the login and logout events.
Audit information must be carefully gathered and protected so that actions affecting security can be traced to the responsible party. The Commercial Security Pak records the occurrences of security-relevant events in an audit log. For each event audited, the system records the date and time of the event, the initiating user, the type of event, the success or failure of the event, and the name and security classification of the files or programs used.
Most audit records are generated in the course of normal work. Even records with ominous sounding names, such as “sat_access_denied,” happen in the course of ordinary activities. Your Auditor is not spying on your system activity, simply guarding against an outsider attempting to damage your work.
You do not need to take any action regarding the Audit Trail. It is maintained by the system and by the Auditor at your site. The Auditing process is completely transparent to the user. It is important to recognize that when working on a trusted system, your actions are audited. You should not, however, be apprehensive or fearful of the auditing process. Its function is to protect you from others who may try to use your identity for mischief.