Administrator's Guide
c. Set SEC_AUDFILE to the name of the auxiliary log file.
d. Set SEC_SWITCH to the maximum size of the secondary audit log file (in KB).
For more information about setting up primary and auxiliary audit log files, see
Section 9.5.
6. Start the audomon daemon if it has not yet been started. The audomon daemon
monitors the growth of the current audit trail and switches to an alternative audit
trail whenever necessary. For example:
#audomon -p 20 -t 1 -w 90 -X "/usr/local/bin/rcp_audit_trail hostname"
For more information about configuring the audomon daemon, see Section 9.5.2
7. Set the audomon argument parameter in the /etc/rc.config.d/auditing file
to retain the current settings across system reboots.
8. Set the AUDITING flag to 1 in the /etc/rc.config.d/auditing file to enable
the auditing system to automatically start when the system is booted.
9.2.3 Disabling Auditing
To disable auditing on the system, follow these steps:
1. Stop system auditing using the following command:
# audsys -f
2. Set the AUDITING flag to 0 in the /etc/rc.config.d/auditing file to prevent
the auditing system from starting when the system is rebooted.
3. (Optional) To stop the audomon daemon, enter:
# kill `ps -e | awk '$NFS~ /audomon/ {print $1}'`
Only use this step if you want to reconfigure the audomon daemon. To reconfigure
and restart the audomon daemon, follow step 6 and step 7 as described in
Section 9.2.2.
9.2.4 Monitoring Audit Files
To view, monitor, and administer the audit files, follow these steps:
1. View the audit log files with the audisp command:
# audisp
audit_file
See “Viewing Audit Logs” for details on using the audisp command.
2. Set the audit log file monitor arguments in the /etc/rc.config.d/auditing
file.
3. (Optional) Stop system auditing using the following command:
9.2 Auditing Your System 175