Configuring auditing

Description of auditing tunables

The ADT_NBUF tunable

The auditing subsystem buffers the writing of audit records to the audit trail to improve performance. Instead of writing each record to the audit trail as it is completed, records are written to an audit buffer in memory, and a write to the audit trail is performed only when the buffer is full, or the amount of data in the buffer reaches the high water mark set by you using the auditlog(ADM) command. This combines several write operations into one, and saves time.

Each buffer you allocate takes up memory, making the kernel larger. If you do not allocate enough buffers, performance will suffer as processes wishing to write audit records must wait for buffers to be emptied and made available. Allocating too many buffers simply wastes memory, which can also hurt system performance. The default value for this parameter is 2, with a recommended range of 0 to 5.

The ADT_BSIZE tunable

This parameter controls the size of each audit buffer. If the buffer size is too small, the system will spend proportionately more time emptying audit buffers, and performance will suffer. Larger and larger buffer sizes give a diminishing improvement in performance and increase the amount of data that can be lost during a system crash. The crash(ADM) command can be used to retrieve audit data in such cases. The default size for a buffer is 20480 bytes. The recommended size range is 10240 to 20480 bytes.

The ADT_LWP_BSIZE tunable

A buffer is allocated for each light-weight process (LWP). Audit records for a particular LWP are written into its buffer, which, when full, is dumped into the audit buffers for the entire system. This second layer of buffering limits contention for the global buffers as records are being assembled.

The default size for these buffers is 256 bytes. This is just large enough to hold an audit record in most cases. Reducing the size of these buffers below 256 bytes is not recommended, as the buffers will not be large enough to hold an entire audit record, resulting in an increase in the number of writes to the global audit buffers and a consequent decrease in system performance. Because a buffer is allocated for each LWP, a large buffer size could take up a substantial amount of memory on a busy system, and so degrade performance. The size of these buffers should never exceed the size of the global audit buffers. The recommended range for the LWP buffer size is 256 to 20480 bytes.

The ADT_NLVLS tunable

This tunable parameter is unused in this release; it is retained for compatibility with earlier releases. It is only valid when the Mandatory Access Control (MAC) feature has been installed and is running.

Next topic: Displaying or changing a tunable parameter for auditing
Previous topic: Audit tunable parameters

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005