Question
Alexey Maslov · Feb 6, 2021

How to disable an Audit event on the process level?

During some consulting activity, I found at the client's site CACHEAUDIT database of more than 100 GB size. The reason was simple: several processes produced a great amount of %System/%System/OSCommand audit records due to frequent external calls ($zf(-100,...)). As it is well-known, those events can be easily disabled systemwide, while this can be hardly considered secure enough. Reducing the number of days before audit cleanup from default 62 to some reasonable figure (e.g. 15) seems to be a better solution, but...

This case inspired a dream: we have a facility to switch off journaling on the process level. Why not have the same for auditing?

00
2 0 0 65