test

Trusted Solaris Audit Administration

To Handle an Audit Filesystem Overflow

    To set the audit policy that a count of audit records is kept when the audit file systems are full, as role secadmin, at label admin_low: 


    $ auditconfig -setpolicy +cnt

Caution – Caution –

To run auditing in an evaluated configuration, you cannot have the +cnt policy turned on. It must be turned off.

    To set the audit policy that the workstation is shut down when its audit file systems are full:


    $ auditconfig -setpolicy +ahlt

To set one of the above policies permanently, enter the command in the audit_startup(1M) script. See To Set Audit Policy Permanently for how to edit the script.

Note –

On a distributed system, the same audit policy should be applied to all workstations.