Notifications can be generated by a failure of the security
audit subsystem. The security audit subsystem notifications can alert
auditors that the security audit system is no longer recording auditable
security events. Notifications are generated by a failure of the auditing
subsystem, they are not related to any auditable security events or
event outcome that has occurred. Notifications triggered by an event
or an event outcome are not supported.
Before you begin
Before configuring notifications, enable global security and
the security audit subsystem in your environment. You must be assigned
the auditor role to complete this task.
About this task
If a problem is experienced with the security audit subsystem,
then a notification can be generated. This is an alert that security
events are no longer being audited. Notification can be written to
the system log file or can be sent to a specified group of users as
an email. You are able to configure notifications to alert the auditor
of a problem using both of these methods simultaneously. Notifications
are only generated when the Audit subsystem failure action field is
set to Log warning or Terminate server.
Procedure
- Optional: Click .
- Optional: Confirm the Audit subsystem failure
action field is set to Log warning or Terminate server. If
the Audit subsystem failure action field is set to No warning, then
notifications will not be generated.
- Click .
- Under Notifications, Click New
- Enter the name that should be associated with this notification
configuration in the Notification name field.
- Select the Message log check box to specify the failure
notifications are recorded in the audit log.
- Select the email sent to notification list check box to
specify that failure notification email should be sent to the addresses
listed in the notification list.
- Enter an email address in the email address to add field This step is not needed if email notifications are not going
to be sent.
- Enter the mail server address in the Outgoing mail (STMP)
server address. This step is not needed if email notifications
are not going to be sent.
- Click Add >> to add the email address and
associated mail server to the email notification list.
- Repeat steps 5 through 7 for each email address you want
to specify in the email notification list.
- Click OK.
- Select the Enable monitoring check box to turn on audit
failure notifications.
- Select the notification configuration to be used from the
Monitor notification dropdown menu.
- Click OK.
Results
After completing this task, a notification will be generated
if the security auditing subsystem experiences an unrecoverable error
resulting in security events no longer being audited.
What to do next
After configuring notifications, you can analyze your
audit data for potential weaknesses in the current security infrastructure
and to discover possible security breaches that might have occurred.
Audit
notifications cannot be removed using the administrative console.
To remove an audit notification you first must run the deleteAuditNotificationMonitorByRef
or the deleteAuditNotificationMonitorByName command. After running
one of those commands, remove the audit notification by running the
deleteAuditNotification command.