test

System Administration Guide: Security Services

How to Select Audit Flags

Audit flags are defined in the /etc/security/audit_control file. The audit flags select which classes of audit records are written to the audit log.

  1. Become superuser or assume an equivalent role.

  2. (Optional) Save a backup copy of the audit_control file.


    # cp /etc/security/audit_control /etc/security/audit_control.save

  3. Add new entries to the audit_control file.

    Each entry has the following format:


    title:string
    title

    Defines the type of line. Options are dir:, flags:, minfree:, or naflags:.

    string

    Lists specific data that is associated with the line type.

  4. Instruct the audit daemon to read the new audit_control file.

    The audit daemon stores the information internally. To use the new information, either reboot the system or type the following command:


    # audit -s

Example—Changing the Location of the Audit Trail File

Lines that start with dir: define which audit file systems can be used to store audit trail files. In this example, two additional locations for audit trail files are defined.


# cat /etc/security/audit_control
dir:/etc/security/audit/host.1/files
dir:/etc/security/audit/host.2/files
dir:/var/audit
flags:
minfree:10
naflags:lo

Example—Changing Audit Flags for All Users

The flags line in the audit_control file defines which classes of events are audited for all users on the host. The classes are separated by commas, with no spaces. In this example, the events in the lo class are audited for all users.


# cat /etc/security/audit_control
dir:/var/audit
flags:lo
minfree:10
naflags:lo

Example—Changing the Soft Limit for Warnings

The minfree line in the audit_control file defines the minimum free-space level for all audit file systems. In this example, the soft limit is set so that a warning is issued when only 10 percent of the file system is available.


# cat /etc/security/audit_control
dir:/var/audit
flags:
minfree:10
naflags:lo

Example—Changing Auditing of Nonattributable Events

The naflags: line in the audit_control file defines which classes of nonattributable events are audited for all users on the host. The classes are separated by commas, with no spaces. In this example, the na event class was added.


# cat /etc/security/audit_control
dir:/var/audit
flags:
minfree:10
naflags:lo,na