Notifications
can be generated by a failure of the security audit subsystem. The
security audit subsystem notifications can alert auditors that the
security audit system is no longer recording auditable security events.
Notifications are generated by a failure of the auditing subsystem,
they are not related to any auditable security events or event outcome
that has occurred. Notifications triggered by an event or an event
outcome are not supported.
Before you begin
Before configuring
notifications, enable global security and the security audit subsystem
in your environment. You must be assigned the auditor role to complete
this task.
About this task
If a problem is experienced with the
security audit subsystem, then a notification can be generated. This
is an alert that security events are no longer being audited. Notification
can be written to the system log file or can be sent to a specified
group of users as an email. You are able to configure notifications
to alert the auditor of a problem using both of these methods simultaneously.
Notifications are only generated when the Audit subsystem failure
action field is set to Log warning or Terminate server.
Procedure
- Optional: Click .
- Optional: Confirm the Audit subsystem failure
action field is set to Log warning or Terminate server. If
the Audit subsystem failure action field is set to No warning, then
notifications will not be generated.
- Click .
-
Under Notifications, Click New
- Enter the name that should be associated with this notification
configuration in the Notification name field.
- Select
the Message log check box to specify the failure notifications are
recorded in the audit log.
- Select the email
sent to notification list check box to specify that failure notification
email should be sent to the addresses listed in the notification list.
- Enter an email address in the email address to add
field This step is not needed if email notifications are
not going to be sent.
- Enter the mail server
address in the Outgoing mail (STMP) server address. This
step is not needed if email notifications are not going to be sent.
- Click Add >> to add the email address
and associated mail server to the email notification list.
- Repeat steps 5 through 7 for each email address you want
to specify in the email notification list.
- Click OK.
- Select the Enable monitoring check box to turn on
audit failure notifications.
- Select the notification
configuration to be used from the Monitor notification dropdown menu.
- Click OK.
Results
After
completing this task, a notification will be generated if the security
auditing subsystem experiences an unrecoverable error resulting in
security events no longer being audited.
What to do next
After
configuring notifications, you can analyze your audit data for potential
weaknesses in the current security infrastructure and to discover
possible security breaches that might have occurred.
Audit
notifications cannot be removed using the administrative console.
To remove an audit notification you first must run the deleteAuditNotificationMonitorByRef
or the deleteAuditNotificationMonitorByName command. After running
one of those commands, remove the audit notification by running the
deleteAuditNotification command.