Controlling Auditing Costs
Because auditing consumes system resources, you must control the degree of detail that
is recorded. When you decide what to audit, consider the following costs of
Cost of increased processing time
Cost of analysis of audit data
Cost of storage of audit data
Cost of Increased Processing Time of Audit Data
The cost of increased processing time is the least significant of the costs
of auditing. The first reason is that auditing generally does not occur during
computation-intensive tasks, such as image processing, complex calculations, and so forth. The other
reason is that the cost for single-user systems is usually small enough
Cost of Analysis of Audit Data
The cost of analysis is roughly proportional to the amount of audit data
that is collected. The cost of analysis includes the time that is required
to merge and review audit records. Cost also includes the time that is
required to archive the records and keep the records in a safe
The fewer records that you generate, the less time that is required to
analyze the audit trail. Upcoming sections, Cost of Storage of Audit Data and Auditing Efficiently, describe ways to
audit efficiently. Efficient auditing reduces the amount of audit data, while still providing
enough coverage to achieve your site's security goals.
Cost of Storage of Audit Data
Storage cost is the most significant cost of auditing. The amount of audit
data depends on the following:
Because these factors vary from site to site, no formula can predetermine the
amount of disk space to set aside for audit data storage. Use
the following information as a guide:
Preselect audit classes judiciously to reduce the volume of records that are generated.
Full auditing, that is, with the all class, fills disks quickly. Even a simple task such as compiling a program could generate a large audit file. A program of modest size could generate thousands of audit records in less than a minute.
For example, by omitting the file_read audit class, fr, you can significantly reduce audit volume. By choosing to audit for failed operations only, you can at times reduce audit volume. For example, by auditing for failed file_read operations, -fr, you can generate far fewer records than by auditing for all file_read events.
Efficient audit file management is also important. After the audit records are created, file management reduces the amount of storage that is required.
Understand the audit classes
Before you configure auditing, you should understand the types of events that the classes contain. You can change the audit event-class mappings to optimize audit record collection.
Develop a philosophy of auditing for your site.
Base your philosophy on sensible measures. Such measures include the amount of traceability that your site requires, and the types of users that you administer.