Skip to main content

3.10.6 Displaying/Setting the Audit Policy


3.10.6 Displaying/Setting the Audit Policy
  1. Execute the showaudit command to display the audit policy settings.
XSCF> showaudit all
Auditing:             enabled
Audit space used:     13713 (bytes)
Audit space free:     4180591 (bytes)
Records dropped:      0
Policy on full trail: count
User global policy:   enabled
Mail:
Thresholds:           80% 100%
User policy:
Events:
        AEV_AUDIT_START enabled
        AEV_AUDIT_STOP enabled
  1. Execute the setaudit command to set the audit policy.
    The following example specifies three users (yyyyy, uuuuu, and nnnnn), with AUDIT and LOGIN enabled for the audit class, the version enabled for audit events, and the global policy disabled for the users.
XSCF> setaudit -a yyyyy,uuuuu,nnnnn=enabe -c
ACS_AUDIT,ACS_LOGIN=enable -e AEV_version=enable -g disable
  1. The following example specifies a warning destination e-mail address, the deleting of new audit records and counting of the deleted records when the amount of audit trails reaches full capacity, and file amount warning thresholds (50%, 75%, and 90%).
XSCF> setaudit -m yyyy@example.com -p count -t 50,75,90
  1. Execute the showaudit command, and confirm the settings.
XSCF> showaudit all
Auditing:             enabled
Audit space used:     13713 (bytes)
Audit space free:     4180591 (bytes)
Records dropped:      0
Policy on full trail: count
User global policy:   enabled
Mail:                 yyyy@example.com
Thresholds:           50% 75% 90%
User policy:
Events:
     AEV_AUDIT_START       enabled
     AEV_AUDIT_STOP        enabled
     :
     AEV_LOGIN_BUI         enabled
     AEV_LOGIN_CONSOLE     enabled
     AEV_LOGIN_SSH         enabled
     AEV_LOGIN_TELNET      enabled
     AEV_LOGOUT            enabled
     AEV_AUTHENTICATE      enabled
     :
     AEV_version           enabled
     :
With -p count specified, new audit record data is discarded (dropped) when the audit log reaches full capacity, and the number of times that records are dropped is counted (drop count).
Note - When an audit log reaches full capacity, only the default audit policy "count," which discards audit records, is currently supported. Therefore, do not specify "suspend."
If the audit log amount exceeds the threshold, a warning message appears on the console. If a warning destination e-mail address is specified, a warning can also be sent in a secure format.
The following example shows a warning message.
WARNING: audit trail is 91% full