DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Configuring auditing

The /etc/default/audit file

The parameters in the /etc/default/audit file control certain default actions of the auditing subsystem and log file attributes. The auditlog(ADM) command may be used to override all but the AUDIT_LOGERR parameter. The parameters are as follows:


AUDIT_DEFPATH
This parameter defines the absolute pathname of either the directory where the log file will reside or the special character device which will serve as the log file. The default for the distributed system is /var/audit.

AUDIT_LOGERR
The value of this parameter controls the action taken if there is any error involving the auditing subsystem. The allowable values are DISABLE, which disables the auditing subsystem, and SHUTDOWN, which shuts the computer system down. The value for this parameter in the distributed system is DISABLE.

AUDIT_LOGFULL
The value of this parameter controls the action taken when the audit event log file becomes full. The allowable values are DISABLE, which disables the auditing subsystem, SHUTDOWN, which shuts the computer system down, and SWITCH, which switches to an alternate audit event log file. The value for this parameter in the distributed system is DISABLE.

AUDIT_NODE
This parameter defines the node name to be appended to the system-generated audit event log filename. The node name may contain up to seven characters but must not contain a slash (/). There is no default value for this parameter in the distributed system.

AUDIT_PGM
This parameter defines the absolute pathname to an executable file that will be executed if the log full condition of SWITCH occurs. The executable can be either a program or a shell script. There is no default value for this parameter in the distributed system.

Deciding whether to use DISABLE or SHUTDOWN

The value of SHUTDOWN will result in a sudden loss of computer services for users of your system; however, it will provide for the highest security. There will always be an audit record covering all the times when the system was in multiuser mode.

The value of DISABLE may result in a gap in the audit trail. That is, there will be no audit records for the time between the occurrence of the audit subsystem error and the next time auditing is enabled. However, there will also be no sudden loss of service to the users of the computer system.

Using defadm to configure the log file and audit actions

The values of the preceding parameters are set by using the defadm(ADM) command as follows, replacing parameter and value with appropriate strings:

defadm audit parameter=value

For example, to set auditing to be disabled upon a log full condition, enter the following command:

defadm audit AUDIT_LOGFULL=DISABLE


NOTE: You can also use the System Defaults Manager interface to make changes to /etc/default/audit.

Be careful when using defadm to change the values of parameters, because the defadm command does not validate the values specified for the parameters. Validation of the parameters is done when auditing is enabled. If the values of the parameters are invalid, the auditing subsystem takes the following actions:


Next topic: Configuring auditing with the auditlog command
Previous topic: Configuring the /etc/default/audit file

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005