log_file = path_to_separate_partition/audit.log
log_format = RAW
priority_boost = 4
flush = SYNC
freq = 20
num_logs = 4
dispatcher = /usr/sbin/audispd
disp_qos = lossy
max_log_file = 5
max_log_file_action = KEEP_LOGS
space_left = 75
space_left_action = EMAIL
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SINGLE
disk_full_action = SUSPEND
disk_error_action = SUSPEND
The ### precedes comments where you can choose from several options. Do not add
the comments to your actual configuration files.
TIP: For More Information
Refer to
background information about the auditd.conf configuration parameters.
31.3 Enabling Audit for System Calls
A standard SUSE Linux Enterprise Desktop system has auditd running by default. There
are different levels of auditing activity available:
Basic Logging
Out of the box without any further configuration, auditd logs only events concerning
its own configuration changes to /var/log/audit/audit.log. No events
(file access, system call, etc.) are generated by the kernel audit component until
requested by auditctl. However, other kernel components and modules may log
audit events outside of the control of auditctl and these appear in the audit log. By
default, the only module that generates audit events is Novell AppArmor.
Advanced Logging with System Call Auditing
To audit system calls and get meaningful file watches, you need to enable audit
contexts for system calls.
374
Security Guide
Section 30.2, "Configuring the Audit Daemon"
### or DATA
### or HALT
### or HALT
### or HALT
(page 339) for detailed