IBM 10 SP1 EAL4 Benutzerhandbuch
Option
Description
Possible values
log_file
name of the log file
log_format
How to flush the data from
auditd to the log.
auditd to the log.
RAW. Only RAW is supported in this version.
priority_boost
The nice value for auditd.
Used to run auditd at a
certain priority.
flush
Method of writing data to disk. none, interval, data, sync
freq
Used when flush is
incremental, states how many
records written before a forced
flush to disk.
records written before a forced
flush to disk.
num_logs
Number of log files to use
max_log_file
Maximum log size in
megabytes.
megabytes.
max_log_file_action
Action to take when the
maximum log space is reached.
maximum log space is reached.
ignore, syslog, suspend, rotate
space_left
Low water mark
space_left_action
What action to take when low
water mark is reached
water mark is reached
ignore, syslog, suspend, single,
halt
halt
admin_space_left
High water mark
admin_space_left_actio
n
What action to take when high
water mark is reached
water mark is reached
ignore, syslog, suspend, single,
halt
halt
disk_full_action
What action to take when disk
is full
is full
ignore, syslog, suspend, single,
halt
disk_error_action
What action to take when an
error is encountered while
writing to disk.
error is encountered while
writing to disk.
Table 5-2: /etc/auditd.conf options
In addition to setting the audit filter rules, auditctl can be used to control the audit subsystem behavior in
the kernel even when auditd is running. These settings are listed in Table 5-3.
138