Configuring auditing

Specifying continuous auditing

To configure a system for continuous auditing it is necessary to set the log full condition to SWITCH and establish an alternate log file. The parameters in the /etc/default/audit file and/or the auditlog command may be used. In the simplest example, the AUDIT_LOGFULL parameter is set to SWITCH. In this case, the auditing subsystem will create a new audit event log file in the directory specified by the value of the AUDIT_DEFPATH parameter whenever the primary log file becomes full. If the AUDIT_NODE parameter has a value, the node name will be appended to the new audit event log file. It is important to note that if the size of the primary log file is not limited by the -x option of the auditlog command, the auditing subsystem will not be able to open a new file in this directory. In addition, if you want to run a program every time a log switch occurs, you can specify the pathname of that program with the AUDIT_PGM parameter.

If you have an archival storage device, such as a tape drive, that can be dedicated to receiving audit event log files, you can configure the auditing subsystem so that it automatically archives old log files and maintains continuous auditing.

Next topic: Specifying an alternate log file
Previous topic: Using auditlog to specify the action when the log file is full

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005