Default configuration settings for the auditing subsystem
The auditing subsystem
will run without any customization.
The default attributes are as follows:
-
Auditing is enabled when the system enters multi-user state.
-
Auditing is disabled when the system enters either
single user or power-off state.
-
The audit event log file is in the directory
/var/audit,
with a seven digit number as the file name.
-
The auditing subsystem records only the fixed events.
These events include all actions relating to the auditing subsystem itself,
all attempts to change the system date,
all changes relating to user and group attributes,
and all changes of init states.
-
There is no limit on the size of the audit event log file.
The log file will continue to grow until it occupies all available space in
the filesystem that contains the
/var/audit
directory.
-
The high water mark is set to the system tunable ADT_BSIZE.
This is defined in the
/etc/conf/mtune.d/audit
file.
Audit data will be written to the current audit buffer until it is full or
the next audit record exceeds the buffer size.
-
The audit buffer size is set to 20480 bytes.
-
The per-LWP buffer size is set to 256 bytes.
-
The number of audit buffers configured is set to 2.
-
When the log full condition occurs, auditing is disabled.
The log full condition is met when the
current audit event log file has reached its maximum size.
-
When a log error condition occurs, auditing is disabled.
A log error condition is met when an error
occurs in the auditing subsystem.
NOTE:
If the audit event log file is a regular file in the
/
or
/var
filesystem,
it is possible for programs that create files in
that filesystem,
such as
mail
in the case of
/var,
to cause the filesystem to become full unexpectedly.
Depending on the way auditing is configured, this may lead to
unplanned system shutdowns or to unexpected disabling of auditing.
It is recommended that the auditing subsystem have a dedicated filesystem
for the audit event log files.
For information on creating a filesystem,
see
UNRESOLVED XREF-0.
Next topic:
Tunable parameters for auditing
Previous topic:
Configuring auditing
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005