Default configuration settings for the auditing subsystem

The auditing subsystem will run without any customization. The default attributes are as follows:

• Auditing is enabled when the system enters multi-user state.

• Auditing is disabled when the system enters either single user or power-off state.

• The audit event log file is in the directory /var/audit, with a seven digit number as the file name.

• The auditing subsystem records only the fixed events. These events include all actions relating to the auditing subsystem itself, all attempts to change the system date, all changes relating to user and group attributes, and all changes of init states.

• There is no limit on the size of the audit event log file. The log file will continue to grow until it occupies all available space in the filesystem that contains the /var/audit directory.

• The high water mark is set to the system tunable ADT_BSIZE. This is defined in the /etc/conf/mtune.d/audit file. Audit data will be written to the current audit buffer until it is full or the next audit record exceeds the buffer size.

• The audit buffer size is set to 20480 bytes.

• The per-LWP buffer size is set to 256 bytes.

• The number of audit buffers configured is set to 2.

• When the log full condition occurs, auditing is disabled. The log full condition is met when the current audit event log file has reached its maximum size.

• When a log error condition occurs, auditing is disabled. A log error condition is met when an error occurs in the auditing subsystem.