SunSHIELD Basic Security Module Guide

The audit_control File

An audit_control file on each machine is read by the audit daemon (see the audit_control(4) man page). The audit_control file is located in the /etc/security directory. A separate audit_control file is maintained on each machine because machines in the distributed system may be mounting their audit file systems from different locations or specifying them in a different order. For example, the primary audit file system for machineA might be the secondary audit file system for machineB.

You specify four kinds of information in four kinds of lines in the audit_control file:

The administrator creates an audit_control file during the configuration process on each machine.

After the audit_control file is created during system configuration, the administrator can edit it. After a change, the administrator runs audit -s to instruct the audit daemon to reread the audit_control file.

Note -

The audit -s command does not change the preselection mask for existing processes. Use autoconfig, setaudit (see the getaudit(2) man page), or auditon for existing processes.

Sample audit_control File

Following is a sample audit_control file for the machine dopey. dopey uses two audit file systems on the audit server blinken, and a third audit file system mounted from the second audit server winken, which is used only when the audit file systems on blinken fill up or become unavailable. The minfree value of 20 percent specifies that the warning script (see the audit_warn(1M) man page) is run when the file systems are 80 percent filled and the audit data for the current machine will be stored in the next available audit directory, if any. The flags specify that all logins and administrative operations are to be audited (whether or not they succeed), and that failures of all types except failures to create a file system object are to be audited.

# Audit filesystem used when blinken fills up
dir: /etc/security/audit/winken