|
|
The audit event log file may be either a regular file or a character special device. The value of the AUDIT_DEFPATH parameter in the /etc/default/audit file controls the default location for the log file. As distributed, the system creates the log file in the directory /var/audit. To place the log file in another directory or to use a character special device, either
For example, if you have a
/sysadm
filesystem for system administrators and you want to
put the audit event log file in its
audit
directory,
you would use this command:
auditlog -P /sysadm/audit
If the argument to the -P option is not an absolute pathname to either a directory or special character device that exists, one of the following error messages will be displayed:
full pathname not specifiedor
cannot open/access path or device device
If you use a directory other than the default, you should ensure that the directory is properly protected. The owner of the directory should be root, the group should be audit, and the file permissions should be read, write and execute for the owner and group. For example, the permissions would look like this:
# ls -ld /sysadm/audit
drwxrwx--- 1 root audit 17014 Dec 19 10:51 /sysadm/audit