Configuring auditing

Specifying the type and location of the audit event log file with auditlog

The audit event log file may be either a regular file or a character special device. The value of the AUDIT_DEFPATH parameter in the /etc/default/audit file controls the default location for the log file. As distributed, the system creates the log file in the directory /var/audit. To place the log file in another directory or to use a character special device, either

For example, if you have a /sysadm filesystem for system administrators and you want to put the audit event log file in its audit directory, you would use this command:

auditlog -P /sysadm/audit

If the argument to the -P option is not an absolute pathname to either a directory or special character device that exists, one of the following error messages will be displayed:

   full pathname not specified
   cannot open/access path or device device

If you use a directory other than the default, you should ensure that the directory is properly protected. The owner of the directory should be root, the group should be audit, and the file permissions should be read, write and execute for the owner and group. For example, the permissions would look like this:

   # ls -ld /sysadm/audit
   drwxrwx---   1 root   audit   17014 Dec 19 10:51 /sysadm/audit

NOTE: The -P option of auditlog(ADM) can be used only when auditing is disabled. If it is used when auditing is enabled, an error message is printed.

Next topic: Using auditlog to specify the name of the audit event log file
Previous topic: Configuring auditing with the auditlog command

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005