Trusted Solaris Audit Administration

To Back Up Audit Files

  1. As the role oper in an admin_high workspace, go to the system's audit files directory.

    $ cd /etc/security/audit/system_name[.n]/files

  2. Allocate, at the label admin_high, the tape drive that you are going to use for backup.

    If you are unfamiliar with device allocation, see To Allocate and Deallocate Devices.

  3. Use the tar(1) command to copy the completed audit files and their Trusted Solaris security attributes, such as the label, to the tape.

    For example,

    $ tar cvT \
    /etc/security/audit/grebe/files/19980413120429.19980413180433.grebe \
    /etc/security/audit/grebe/files/19980502120429.19980502180433.grebe \
  4. Deallocate the tape drive when finished, remove the tape, and label it admin_high.

  5. At the same time, in an admin_low workspace, back up system files that capture information about the users, labels, roles, and execution profiles on the system.

    Store the audit tapes with the current system information tape(s).

  6. As admin, at label admin_high, remove the audit files that have been backed up.

    For example,

    $ rm \
    /etc/security/audit/grebe/files/19980413120429.19980413180433.grebe \
    /etc/security/audit/grebe/files/19980502120429.19980502180433.grebe \