summary: Sanity of max_log_file* options of auditd
description: |+
    Test that max_log_file, max_log_file_action and num_logs options 
    of auditd work as expected.

    The log_format describes how the information should be stored on disk.
    There are 2 options and 1 depreated: 

      * NOLOG    - deprecated, if you are setting this format, now you should set 
                   the write_logs option to no;

      * RAW      - the audit records will be stored in a format exactly as the 
                   kernel sends it (default);

      * ENRICHED - will resolve all uid, gid, syscall,  architecture, and socket
                   address information before writing the event to disk. This aids 
                   in making sense of events created on one system but 
                   reported/analized on another system. 


contact: Ondrej Moris <omoris@redhat.com>
component:
  - audit
test: ./runtest.sh
require:
  - library(audit/testing)
recommend:
  - audit
duration: 60m
enabled: true
tag:
  - NoRHEL4
  - NoRHEL5
  - NoRHEL6
  - TIPfail_Security
  - Tier2
  - fedora-wanted
tier: '2'
link:
  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1672287
adjust:
  - enabled: false
    when: distro == rhel-4, rhel-5, rhel-6
    continue: false
  - enabled: false
    when: arch == ppc64, ppc64le
    continue: false
extra-nitrate: TC#0598628
extra-summary: /CoreOS/audit/Sanity/options-max-log-file
extra-task: /CoreOS/audit/Sanity/options-max-log-file