IBM Novell 10 SP1 EAL4 User Manual

Option

Description

Possible values

log_file

name of the log file

log_format

How to flush the data from
auditd to the log.

RAW. Only RAW is supported in this version.

priority_boost

The nice value for auditd.

Used to run auditd at a

certain priority.

flush

Method of writing data to disk. none, interval, data, sync

freq

Used when flush is

incremental, states how many
records written before a forced
flush to disk.

num_logs

Number of log files to use

max_log_file

Maximum log size in
megabytes.

max_log_file_action

Action to take when the
maximum log space is reached.

ignore, syslog, suspend, rotate

space_left

Low water mark

space_left_action

What action to take when low
water mark is reached

ignore, syslog, suspend, single,
halt

admin_space_left

High water mark

admin_space_left_actio

n

What action to take when high
water mark is reached

ignore, syslog, suspend, single,
halt

disk_full_action

What action to take when disk
is full

ignore, syslog, suspend, single,

halt

disk_error_action

What action to take when an
error is encountered while
writing to disk.

Table 5-2: /etc/auditd.conf options

In addition to setting the audit filter rules, auditctl can be used to control the audit subsystem behavior in

the kernel even when auditd is running. These settings are listed in Table 5-3.

138