grep c2audit:audit_load /etc/system
By clive on Oct 24, 2008
I have come across quite a few customers over the last few years who have this line in /etc/system
set c2audit:audit_load = 1
only one set of administrators knew why it was there and what it did and how they used the output. The rest came up with a vague "we need it for security and auditing what root does" or "it is part of the standard build". Most admins did not know it was set or why and a bit of questioning suggests that no one in the organisation has ever looked at the log files or knows the trigger to look at the log files.
lockstat -C -s 50 sleep 10can show some very interesting stacks!
Awareness of security is good, but my experience is that this feature has been enabled without consideration to how to use the output or its impact on performance. In light of this, is bsmuncov is your friend?