Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 396

To transform this example into a configuration file to use in your live setup, proceed
as follows:
1 Choose the appropriate settings for your setup and adjust them.
2 Adjust the file /etc/audit/audit.rules by adding rules from the examples
NOTE: Adjusting the Level of Audit Logging
Do not copy the example below into your audit setup without adjusting it to
your needs. Determine what and to what extent to audit.
The entire audit.rules is just a collection of auditctl commands. Every line
in this file expands to a full auditctl command line. The syntax used in the rule set
is the same as that of the auditctl command.
32.1 Adding Basic Audit Configuration
-D
-b 8192
-f 2
Delete any preexisting rules before starting to define new ones.
Set the number of buffers to take the audit messages. Depending on the level of
audit logging on your system, increase or decrease this figure.
Set the failure flag to use when the kernel needs to handle critical errors. Possible
values are 0 (silent), 1 (printk, print a failure message), and 2 (panic, halt the
system).
By emptying the rule queue with the -D option, you make sure that audit does not use
any other rule set than what you are offering it by means of this file. Choosing an ap-
propriate buffer number (-b) is vital to avoid having your system fail because of too
high an audit load. Choosing the panic failure flag -f 2 ensures that your audit records
are complete even if the system is encountering critical errors. By shutting down the
384 Security Guide
below or by modifying existing rules.
Parameters