System Administration Guide: Security Services

ProcedureHow to Create Partitions for Audit Files

The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Determine the amount of disk space that is required.

    Assign at least 200 Mbytes of disk space per host. However, how much auditing you require dictates the disk space requirements. So, your disk space requirements might be far greater than this figure. Remember to include a local partition for a directory of last resort.

  3. Create dedicated audit partitions, as needed.

    This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see Chapter 11, Administering Disks (Tasks), in System Administration Guide: Devices and File Systems.

    # newfs /dev/rdsk/cwtxdysz

    where /dev/rdsk/cwtxdysz is the raw device name for the partition.

    If the local host is to be audited, also create an audit directory of last resort for the local host.

  4. Create mount points for each new partition.

    # mkdir /var/audit/server-name.n

    where server-name.n is the name of the server plus a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.

  5. Add entries to automatically mount the new partitions.

    Add a line to the /etc/vfstab file that resembles the following:

    /dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n   ufs  2  yes
  6. (Optional) Remove the minimum free space threshold on each partition.

    If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the partition.

    # tunefs -m 0 /var/audit/server-name.n
  7. Mount the new audit partitions.

    # mount /var/audit/server-name.n
  8. Create audit directories on the new partitions.

    # mkdir /var/audit/server-name.n/files
  9. Correct the permissions on the mount points and new directories.

    # chmod -R 750 /var/audit/server-name.n/files
  10. On a file server, define the file systems to be made available to other hosts.

    Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add an entry that resembles the following for each directory to the /etc/dfs/dfstab file:

    share -F nfs /var/audit/server-name.n/files
  11. On a file server, restart the NFS service.

    If this command is the first share command or set of share commands that you have initiated, the NFS daemons might not be running.

    • If the NFS service is offline, enable the service.

      % svcs \*nfs\*
      disabled       Nov_02   svc:/network/nfs/rquota:default
      offline        Nov_02   svc:/network/nfs/server:default
      # svcadm enable network/nfs/server
    • If the NFS service is running, restart the service.

      % svcs \*nfs\*
      online         Nov_02   svc:/network/nfs/client:default
      online         Nov_02   svc:/network/nfs/server:default
      # svcadm restart network/nfs/server

    For more information about the NFS service, refer to Setting Up NFS Services in System Administration Guide: Network Services. For information on managing persistent services, see Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration and the smf(5) man page.

Example 30–13 Creating an Audit Directory of Last Resort

All systems that run the auditing service should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system that is named egret. Because this file system is only used locally, none of the steps for a file server are necessary.

# newfs /dev/rdsk/c0t2d0
# mkdir /var/audit/egret
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret ufs  2  yes  -
# tunefs -m 0 /var/audit/egret
# mount /var/audit/egret
# mkdir /var/audit/egret/files
# chmod -R 750 /var/audit/egret/files

Example 30–14 Creating New Audit Partitions

In this example, a new file system is created on two new disks that are to be used by other systems in the network.

# newfs /dev/rdsk/c0t2d0
# newfs /dev/rdsk/c0t2d1
# mkdir /var/audit/egret.1
# mkdir /var/audit/egret.2
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret.1 ufs  2  yes  -
/dev/dsk/c0t2d1s1  /dev/rdsk/c0t2d1s1  /var/audit/egret.2 ufs  2  yes  -
# tunefs -m 0 /var/audit/egret.1
# tunefs -m 0 /var/audit/egret.2
# mount /var/audit/egret.1
# mount /var/audit/egret.2
# mkdir /var/audit/egret.1/files
# mkdir /var/audit/egret.2/files
# chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files
# grep egret /etc/dfs/dfstab
 share -F nfs /var/audit/egret.1/files
 share -F nfs /var/audit/egret.2/files
# svcadm enable network/nfs/server

Example 30–15 Creating ZFS Audit Partitions

In this example, the administrator runs the script command after the ZFS audit partitions are created. The following is the output of the command:

# zpool create auditf mirror c0t4d0 c0t5d0
# zfs create -o mountpoint=/audit auditf/audit
# zfs create auditf/audit/noddy
# zfs create auditf/audit/noddy/files
# zfs create auditf/audit/blinken
# zfs create auditf/audit/blinken/files
# zfs set devices=off auditf/audit
# zfs set exec=off auditf/audit
# zfs set setuid=off auditf/audit
# zfs set sharenfs=on auditf/audit
# share
-               /audit/blinken/files   rw   ""
-               /audit/noddy   rw   ""
-               /audit/blinken   rw   ""
-               /audit/noddy/files   rw   ""
-               /audit   rw   ""
# ^D
script done on Fri Apr 10 10:10:20 2009

The administrator then views the mounts from the remote system, remotesys.

# dfshares remotesys
RESOURCE                             SERVER ACCESS    TRANSPORT
remotesys:/audit/blinken/files       remotesys  -         -
remotesys:/audit/noddy               remotesys  -         -
remotesys:/audit/blinken             remotesys  -         -
remotesys:/audit/noddy/files         remotesys  -         -
remotesys:/audit                     remotesys  -         -

Finally, the administrator mounts the /audit file system on /var/audit.

# mount remotesys:/audit /var/audit
# ls /var/audit
blinken  noddy