As part of making a plugin architecture that could be used to implement alternative audit log backends, PSARC 2002/150 ("Remote Audit Log") significantly modified the auditing system such that the actual writing of data is no longer handled by the kernel, but is instead handled by auditd (within its userland plugins). As such, the kernel-based implementation of the auditing statistics feature (which allows the user to configure an upper limit on the size of the auditing log, and to determine the current size of the log---see auditconfig(1M) '-setfize' etc) is no longer valid, but was not removed along with PSARC 2002/150. It should be removed and replaced with an alternative implementation based in the audit_binfile(5), where the auditing log is now written to disk.
The following PSARC case:
PSARC/2007/701 EOF and removal of auditconfig -[gs]etfsize
http://sac.sfbay.sun.com/Archives/CaseLog/arc/PSARC/2007/701/
describes the EOF'ing of the outdated kernel based -setfsize feature. In addition, it also describes its replacement:
"Proposal:
========
[...]
Add a new parameter, p_fsize, to audit_binfile(5), the auditd plugin that
implements writing to the local audit file, to replace the functionality
of -setfsize."
Although covered by the same PSARC case, the EOF'ing of the old feature and the implementation of a new equivalent one are being documented with separate bugs and will be addressed with separate putbacks.
This bug (6185615) covers the replacement functionality.
Bug 6704828 covers the EOF'ing and removal of the previous implementation:
6704828 PSARC/2007/701: kernel-based audit statistic feature (-[gs]etfsize) should be EOF'd and removed
Work Around
Monitor audit file sizes in other ways and run audit -n before they get too
large.
(Maybe impractical when very many systems are involved.)
xxxxx@xxxxx.com 2005-07-18 14:34:34 GMT