To Protect an Audit File System

1. As role secadmin, at label admin_low, set the appropriate file permissions on every audit file system while the file system is unmounted.

   For example, on the audit file server egret:

   egret$ chmod -R 750 /etc/security/audit/egret egret$ chmod -R 750 /etc/security/audit/egret.1 egret$ chmod -R 750 /etc/security/audit/egret.2 egret$ chmod -R 750 /etc/security/audit/egret.3

   On the system willet:

   willet$ chmod -R 750 /etc/security/audit/willet

2. As role secadmin, at label admin_high, set any Trusted Solaris security attribute defaults required by your site security policy on every audit file system while the file system is unmounted.

   To run the command at the label admin_high, you must create an admin_high workspace. Follow the procedure in To Create an Admin_High Workspace.

   For example, the following command on the audit file server egret should be repeated for all of its audit partitions:

   egret$ setfsattr -s “[admin_high]” /etc/security/audit/egret

   On the system willet:

   willet$ setfsattr -s “[admin_high]” /etc/security/audit/willet

   The -s option sets the partition's default sensitivity label for the audit files. See the setfsattr(1M) man page for more information.

   ---

   Note –

   The local audit file systems must already be in the host's /etc/vfstab file.

   ---