Configure security audit subsystem failure notifications
Notifications can be generated by a failure of the security audit subsystem. The security audit subsystem notifications can alert auditors that the security audit system is no longer recording auditable security events. Notifications are generated by a failure of the auditing subsystem, they are not related to any auditable security events or event outcome that has occurred. Notifications triggered by an event or an event outcome are not supported.
Before configuring notifications, enable global security and the security audit subsystem in the environment. We must be assigned the auditor role to complete this task.
If a problem is experienced with the security audit subsystem, then a notification can be generated. This is an alert that security events are no longer being audited. Notification can be written to the system log file or can be sent to a specified group of users as an email. We are able to configure notifications to alert the auditor of a problem using both of these methods simultaneously. Notifications are only generated when the Audit subsystem failure action field is set to Log warning or Terminate server.
Tasks
- Optional: Click Security > Security Auditing.
- Optional: Confirm the Audit subsystem failure action field is set to Log warning or Terminate server.
If the Audit subsystem failure action field is set to No warning, then notifications will not be generated.
- Click...
Security | Security Auditing | Audit monitor | Notifications | New
- Enter the name that should be associated with this notification configuration in the Notification name field.
- Select the Message log check box to specify the failure notifications are recorded in the audit log.
- Select the email sent to notification list check box to specify that failure notification email should be sent to the addresses listed in the notification list.
- Enter an email address in the email address to add field
This step is not needed if email notifications are not going to be sent.
- Enter the mail server address in the Outgoing mail (STMP) server address.
This step is not needed if email notifications are not going to be sent.
- Click Add >> to add the email address and associated mail server to the email notification list.
- Repeat steps 5 through 7 for each email address we want to specify in the email notification list.
- Click OK.
- Select the Enable monitoring check box to turn on audit failure notifications.
- Select the notification configuration to be used from the monitor notification dropdown menu.
- Click OK.
After completing this task, a notification will be generated if the security auditing subsystem experiences an unrecoverable error resulting in security events no longer being audited.
What to do next
After configuring notifications, we can analyze our audit data for potential weaknesses in the current security infrastructure and to discover possible security breaches that might have occurred.
Audit notifications cannot be removed using the administrative console. To remove an audit notification you first must run the deleteAuditNotificationMonitorByRef or the deleteAuditNotificationMonitorByName command. After running one of those commands, remove the audit notification by running the deleteAuditNotification command.
Subtopics
Auditing the security infrastructure Enable the security auditing subsystem Configure security audit notifications using scripting