How to Enable or Disable an Audit Policy

Audit policies determine the characteristics of the audit records for the local host. By default, all audit policies are disabled. You need to enable any audit policies that you want to use. For a description of each policy, see Audit Policies.

You can inspect, enable, or disable the current audit policy with the auditon() system call at the program level. Or, to do the same task, you can run the auditconfig command. You can also modify the policy options to the auditconfig command in the audit_startup script to make more permanent audit policy changes.

1. Become superuser or assume an equivalent role.

2. (Optional) Review the existing audit policies.

   Ensure that you are aware of all the policies that are being used before you change any policies. The following command lists the enabled policies:

   # auditconfig -lspolicy

3. Enable or disable the audit policy.

   # auditconfig -setpolicy flagpolicyname

   flag

   A flag value of + enables the policy. A flag value of - disables the policy.

   policyname

   Selects the policy to be enabled or to be disabled.

   The policy is in effect until the next boot, or until the policy is modified by the auditconfig -setpolicy command.

Example—Setting the cnt Policy

The cnt policy can be set so that if the audit partitions become full, then processes are not blocked. The records are discarded when the partitions are full, but the system still functions. The cnt policy keeps a count of the number of discarded audit records. The cnt policy should not be set if security is paramount, since unrecorded events can occur if the file system is full.

The following command enables the cnt policy:

# auditconfig -setpolicy +cnt

To maintain the policy across reboots, you should place the auditconfig -setpolicy +cnt command in the audit_startup file.