Use an editor (for example, vi) to directly edit the
/etc/rbac/aud_filter file. The
Management
This section describes how to enable and disable auditing, and how to rotate audit log files.
Enabling auditing
To enable auditing, use one of the following methods:
•Enter the /sbin/init.d/auditing start command. When you do this, the following occurs:
–Reads the /etc/rc.config.d/auditing file.
–Displays events to be audited by running audevent using the AUDEVENT_ARGS flags.
–Turns on the auditing system by running audsys
–When audsys is run for the first time, the command creates the /etc/audit/audnames file using the log file names and sizes specified by PRI_AUDFILE and SEC_AUDFILE. Thereafter, each time the audsys
–Starts the audomon daemon with the AUDOMON_ARGS.
•
Used to view and configure
•Entering the audsys
Disabling auditing
To disable auditing, enter the audsys
Rotating audit logs
To enable audit log rotation, run the audomon daemon. The audomon daemon monitors the capacity of the current audit trail and the file system on which the audit trail is located, by checking the FileSpaceSwitch (FSS) and AuditFileSwitch (AFS) switch points. If either switch point is reached, audit recording automatically switches to an alternative audit trail. For example, if the auditing system was started using audsys
audomon
This command has the following behaviors:
•The audomon daemon sleeps at least 1 minute at intervals.
•When the size of the current audit trail reaches 1000*90% or 900 kilobytes, or the file system that contains the current audit trail has reached
•When the size of the current audit trail reaches 1000 kilobytes, or the file system that contains the current audit trail has reached 100% - 20% or 80% full, audomon switches recording data to:
/var/.audit/my_trail.yyyymmdd_HHMM, where yyyymmdd_HHMM is replaced by the time when the switch has happened.
•After the switch succeeds, audomon invokes the following command:
18