Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 400

The main auditctl commands to control basic audit system parameters are:
• auditctl -e to enable or disable audit
• auditctl -f to control the failure flag
• auditctl -r to control the rate limit for audit messages
• auditctl -b to control the backlog limit
• auditctl -s to query the current status of the audit daemon
The -e, -f, -r, and -b options can also be specified in the audit.rules file to
avoid having to enter them each time the audit daemon is started.
Any time you query the status of the audit daemon with auditctl -s or change the
status flag with auditctl -eflag a status messages including information on each
of the above-mentioned parameters is output. The following example highlights the
typical audit status message.
Example 30.1 Example output of auditctl -s
AUDIT_STATUS: enabled=1 flag=2 pid=3105 rate_limit=0 backlog_limit=8192 lost=0
backlog=0
Table 30.1
Flag
enabled
flag
pid
386 Security Guide
Audit Status Flags
Meaning [Possible Values]
Set the enable flag. [0..2] 0=disable,
1=enable, 2=enable and lock down the
configuration
Set the failure flag. [0..2] 0=silent,
1=printk, 2=panic (immediate halt with-
out syncing pending data to disk)
Process ID under which auditd is running.
Command
auditctl -e
[0|1]
auditctl -f
[0|1|2]
—