Configuring auditing

Using auditlog to specify the action when the log file is full

A log full condition is reached if one of the following occurs:

The log file is a regular file and it has reached the size specified by the -x option of the auditlog command.
The log file is a regular file and the filesystem it resides in runs out of space.
The log file is a special character device, such as a tape drive, and the device cannot hold any more data.

The auditing subsystem takes one of the following actions when a log full condition is reached:

disable auditing
shut down the computer system
switch to an alternate log file and (if desired) run a program

The action taken depends on the value of the AUDIT_LOGFULL parameter in the /etc/default/audit file. The value for this parameter in the distributed system is DISABLE (disable auditing). You can set the value of the AUDIT_LOGFULL parameter with the System Defaults Manager or the defadm(1M) command. For example, to set auditing to be disabled upon a log full condition, enter the following command:

defadm audit AUDIT_LOGFULL=DISABLE

You can override the value of the AUDIT_LOGFULL parameter with the -d, -s, -a, and -A options of the auditlog command. The -d option specifies that auditing will be disabled, the -s option specifies that the computer system will be shutdown and the -a and -A options specify a switch to an alternate log file. The ability to switch to an alternate log file, when the primary log file is full, allows for continuous auditing. Consider configuring your system to switch to an alternate log file and to execute a program when the log switch occurs. By doing so, you can create a continuous series of log files without losing any audit data. ``Specifying continuous auditing'' presents information on ways to accomplish this.

If you want the highest possible level of security and you cannot configure an alternate log, you should shut your system down when the log file becomes full.