Audit policies determine the characteristics of the audit records for the local host. Audit policies are either enabled or disabled for a particular configuration. By default, all audit policies are disabled. You need to enable any audit policies that you want to use. For a description of each policy, see Audit Policies.
Become superuser or assume an equivalent role.
(Optional) Review the existing audit policies.
Ensure that you are aware of all the policies that are being used before you change any. The following command lists the enabled policies:
# auditconfig -lspolicy |
Enable or disable the audit policy.
auditconfig -setpolicy flagpolicyname |
flag |
A + enables the policy. A – disables the policy |
policyname |
Selects the policy to be enabled or disabled |
The policy is in effect until the next boot, or until the policy is modified by the auditconfig-setpolicy command.
The cnt policy can be set so that if the audit partitions become full, then processes are not blocked. The records are discarded when the partitions are full, but the system still functions even though the auditing process is not recording the events. The cnt policy should not be set if security is paramount, since unrecorded events can occur if the file system is full.
The following command enables the cnt policy:
# auditconfig -setpolicy +cnt |
For a secure site, you should enable the cnt policy in an appropriate startup file.