|
|
Auditing cannot provide audit records for Linux mode activities on your system. If you need to audit your system, unaudited events pose a potential security risk. If you must run audit and it is not acceptable for Linux mode activities to run unaudited, the LKP must be disabled.
The auditon(1M) command enables auditing on your system. If an auditon command is issued without an LKP option on a system that has the LKP installed, you are prompted to choose one of the following:
[1] Allow Linux mode activities to continue but with no audit records
[2] Disable all Linux mode activities now (Linux binaries will coredump,
auditing is enabled and complete).
[3] Abort auditon, make no change to audit or Linux mode at this time.
Choose 1, 2, or 3:"
The first option enables auditing for UNIX mode and permits Linux mode activities, but no Linux mode events are audited. This is equivalent to issuing an auditon -e lkp command.
The second option enables auditing and completely disables the LKP. This is equivalent to issuing an auditon -d lkp command. If the LKP is in use, you might want to use the wall(1M) command to warn users before disabling it. If you disable the LKP while it is being used, all running Linux binaries on the system will immediately dump core.