Preventing Audit Trail Overflow
When all audit file systems for a workstation fill up, the audit_warn script sends a message to the console that the hard limit has been exceeded on all audit file systems and also sends mail to the alias. By default, the audit daemon remains in a loop sleeping and checking for space until some space is freed. All auditable actions are suspended. The audit policy ahlt is in effect.
Site security policy may permit a different solution. There are other candidates: preventing overflow and keeping a count of dropped audit records.
If your security policy requires that overflow be prevented so that no audit data is ever lost, see To Prevent Audit Trail Overflow by Planning Ahead.
Note –
The audit system can be configured to discard audit records upon overflow of the kernel audit buffer. Such a configuration does not constitute an evaluated configuration of the system, and the system should be configured to suspend upon overflow of the audit buffer.
If your security policy permits the loss of some audit data rather than suspending system activities due to audit trail overflow. In that case, you can set the auditconfig policy to drop or count records. See To Handle an Audit Filesystem Overflow for how to drop or count records.
If your security policy requires you to handle filesystem overflow by halting the affected workstation, you must enter the workstation in single-user mode. This is not a secure practice. See To Handle an Audit Filesystem Overflow for the procedure.
- © 2010, Oracle Corporation and/or its affiliates