Archives for November 2015

Behaviour of the audit daemon

Always wanted to know how to make a clean start with nightly log rotations in Solaris audit setup.

Turns out it could't be simpler!

From the audit(1M) man page:

audit - control the behavior of the audit daemon

and a bit further down:

-s Notify the audit daemon to read the audit control file. The audit daemon stores the information internally. If the audit daemon is not running but audit has been enabled by means of bsmconv, the audit daemon is started.
-t Direct the audit daemon to close the current audit trail file and exit. Use -s to restart auditing. To disable auditing, use bsmunconv.

So the sequence should be:
1) Close current audit trail file:
audit -t
2) Do log rotation magic
3) Restart audit trail:
audit -s