The /etc/default/audit file
The parameters in the
/etc/default/audit
file control certain default actions of
the auditing subsystem and log file attributes.
The
auditlog(ADM)
command may be used to override all but the
AUDIT_LOGERR
parameter.
The parameters are as follows:
AUDIT_DEFPATH-
This parameter defines the absolute pathname of either the directory
where the log file will reside or the special character
device which will serve as the log file.
The default for the distributed system is
/var/audit.
AUDIT_LOGERR-
The value of this parameter controls the action taken if there is any
error involving the auditing subsystem.
The allowable values are
DISABLE,
which disables the auditing subsystem, and
SHUTDOWN,
which shuts the computer system down.
The value for this parameter in the distributed system is
DISABLE.
AUDIT_LOGFULL-
The value of this parameter controls the action taken when
the audit event log file becomes full.
The allowable values are
DISABLE,
which disables the auditing subsystem,
SHUTDOWN,
which shuts the computer system down,
and
SWITCH,
which switches to an alternate audit event log file.
The value for this parameter in the distributed system is
DISABLE.
AUDIT_NODE-
This parameter defines the node name to be appended to the system-generated
audit event log filename.
The node name may contain up to seven characters but must not contain
a slash (/).
There is no default value for this parameter in the distributed system.
AUDIT_PGM-
This parameter defines the absolute pathname to an executable
file that will be executed
if the log full condition of
SWITCH
occurs.
The executable can be either a program or a shell script.
There is no default value for this parameter in the distributed system.
Deciding whether to use DISABLE or SHUTDOWN
The value of
SHUTDOWN
will result in a sudden loss of computer services for users of
your system; however, it will provide for the highest security.
There will always be an audit record covering all the times
when the system was in multiuser mode.
The value of
DISABLE
may result in a gap in the audit trail.
That is, there will be no audit records for the time between
the occurrence of the audit subsystem error and the next time auditing is enabled.
However, there will also be no sudden loss of service to the users of the
computer system.
Using defadm to configure the log file and audit actions
The values of the preceding parameters are set by using the
defadm(ADM)
command as follows, replacing
parameter and value with appropriate strings:
defadm audit parameter=value
For example, to set auditing to be disabled upon a log full
condition, enter the following command:
defadm audit AUDIT_LOGFULL=DISABLE
NOTE:
You can also use the
System Defaults Manager
interface to make changes to /etc/default/audit.
Be careful when using defadm
to change the values of parameters,
because the defadm command does not validate
the values specified for the parameters.
Validation of the parameters is done when auditing is enabled.
If the values of the parameters
are invalid, the auditing subsystem takes the following actions:
-
If the value for
AUDIT_LOGFULL
is invalid, a warning message is displayed and the
DISABLE
condition is set.
-
If the value for
AUDIT_LOGERR
is invalid, a warning message is displayed and the
DISABLE
condition is set.
-
If the value for
AUDIT_DEFPATH
is invalid, a warning message is displayed and
the default directory
/var/audit
is set.
-
If the value for
AUDIT_NODE
is invalid, the specified value is silently ignored, and no
default value is used.
-
If the value for
AUDIT_PGM
is invalid, the specified value is silently ignored, and no default value is used.
Next topic:
Configuring auditing with the auditlog command
Previous topic:
Configuring the /etc/default/audit file
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005