Passing Parameters To The Audit System - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual
Hide thumbs
Also See for LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009:
- Administration manual (338 pages) ,
- Deployment manual (246 pages) ,
- Application manual (364 pages)
Table of Contents
Advertisement
Flag
rate_limit
backlog_limit
lost
backlog
30.4 Passing Parameters to the Audit
System
Commands to control the audit system can be invoked individually from the shell using
auditctl or batch read from a file using auditctl -R. This second method is used
by the init scripts to load rules from the file /etc/audit/audit.rules after the
audit daemon has been started. The rules are executed in order from top to bottom. Each
of these rules would expand to a separate auditctl command. The syntax used in the
rules file is the same as that used for the auditctl command.
Changes made to the running audit system by executing auditctl on the command line
are not persistent across system restarts. For changes to persist, add them to the /etc/
audit/audit.rules file and, if they are not currently loaded into audit, restart the
audit system to load the modified rule set by using the rcauditd restart command.
Meaning [Possible Values]
Set a limit in messages per second. If the
rate is not zero and it is exceeded, the ac-
tion specified in the failure flag is trig-
gered.
Specify the maximum number of outstand-
ing audit buffers allowed. If all buffers
are full, the action specified in the failure
flag is triggered.
Count the current number of lost audit
messages.
Count the current number of outstanding
audit buffers.
Command
auditctl -r
rate
auditctl -b
backlog
—
—
Understanding Linux Audit
347
Advertisement
Table of Contents
