Configuring auditing

Configuring auditing

This topic describes how to tailor auditing subsystem configuration to meet the requirements of your site. In general, there are four main steps in configuring the auditing subsystem:

Selecting the events to be audited.
Configuring the audit event log file.
Setting tunable parameters.
Editing the /etc/init.d/audit script to add your site-dependent audit configuration.

The remainder of this topic deribes:

Default auditing configuration settings.
Setting auditing tunable parameters.
Setting audit event log file characteristics with the auditlog(1M) command.
Setting audit criteria with the auditset(1M), useradd(1M), and usermod(1M) commands
Starting auditing with the auditon(1M) command.
Stopping auditing with the auditoff(1M) command.
Using the /etc/init.d/audit file.