To Create Dedicated Audit Partitions
During installation, the install team creates dedicated audit partition(s) when formatting the disks.
Use the naming convention /etc/security/audit/sytem_name(.n)
A diskfull computer should have at least one local audit directory, which it can use as a directory of last resort, if unable to communicate with the audit server.
See Audit Storage for an explanation of the naming convention.
On an audit file server, most partitions hold audit files, as is shown in the following example of the egret audit file server:
|
Disk |
Slice |
Mount point |
Size |
|---|---|---|---|
|
c0t2d0 |
s0 |
/etc/security/audit/egret |
1.0 GB |
|
|
s1 |
/etc/security/audit/egret.1 |
.98 GB |
|
|
s2 |
entire disk |
1.98 GB |
|
c0t2d1 |
s0 |
/etc/security/audit/egret.2 |
502 MB |
|
|
s1 |
/etc/security/audit/egret.3 |
500 MB |
|
|
s2 |
entire disk |
1002 MB |
Note –
Another disk holds egret's / (root) and /swap partitions.
On a diskfull computer, including the audit administration server, at least one partition should be dedicated to local audit files, as is shown in the following example of the system willet:
|
Disk |
Slice |
Mount point |
Size (MB) |
|---|---|---|---|
|
c0t3d0 |
s0 |
/ |
70 |
|
|
s1 |
swap |
180 |
|
|
s2 |
entire disk |
1002 |
|
|
s3 |
/usr |
350 |
|
|
s4 |
/etc/security/audit/willet |
202 |
|
|
s7 |
/export/home |
200 |
Hints
A rule of thumb is to assign 200 MB of space for each system. However, the disk space requirements at your site will be based on how much auditing you perform and may be far greater than this figure.
Fewer and large partitions are more efficient than more and smaller ones.
Note –
To add a disk to hold audit partitions after installing the system, see the Solaris 8 System Administration Guide, Volume II. To protect the disks with Trusted Solaris security attributes, see Trusted Solaris Administrator's Procedures.
- © 2010, Oracle Corporation and/or its affiliates