System Administration Guide: Security Services

ProcedureHow to Create Partitions for Audit Files

The following procedure shows how to create partitions for audit files, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Determine the amount of disk space that is required.

    Assign at least 200 Mbytes of disk space per host. However, how much auditing you require dictates the disk space requirements. So, your disk space requirements might be far greater than this figure. Remember to include a local partition for a directory of last resort.

  3. Create a storage pool and a mirror.

    For more information, see What Is ZFS? in Solaris ZFS Administration Guide.

    # zpool create audit-pool mirror slice1 slice2

    For example, create the auditf pool from two slices, and mirror them:

    # zpool create auditf mirror c0t4d0 c0t5d0

    If the local host is to be audited, also create an audit directory of last resort for the local host.

  4. Create a mount point for the audit files.

    # zpool create -o mountpoint=/mountpoint /audit-pool/mountpoint

    For example, create the /audit mount point:

    # zfs create -o mountpoint=/audit auditf/audit
  5. Create audit directories for every set of audit files that is going to be mounted.

    # zfs create auditf/audit/machine1
    # zfs create auditf/audit/machine1/files
    # zfs create auditf/audit/machine2
    # zfs create auditf/audit/machine2/files

    For example, create directories for the noddy and blinken systems:

    # zfs create auditf/audit/noddy
    # zfs create auditf/audit/noddy/files
    # zfs create auditf/audit/blinken
    # zfs create auditf/audit/blinken/files
  6. Protect the mount points.

    The following ZFS properties are set to off:

    # zfs set devices=off auditf/audit
    # zfs set exec=off auditf/audit
    # zfs set setuid=off auditf/audit
  7. On a file server, define the file systems to be made available to other hosts.

    # zfs set sharenfs=on audit-pool/mountpoint

    For example, share the audit pool directory:

    # zfs set sharenfs=on auditf/audit

    As a result of sharing the auditf/audit directory, the following directories are shared:

  8. (Optional) Remove the minimum free space threshold on the audit pool.

    If you use the default configuration, a warning is generated when the directory is 80 percent full. The warning removes the reason to reserve free space on the audit pool.

    # tunefs -m 0 /auditf/audit

    For example, tune the audit pool directory:

    # tunefs -m 0 auditf/audit
  9. On a file server, restart the NFS service.

    If this command is the first share command or set of share commands that you have initiated, the NFS daemons might not be running.

    • If the NFS service is offline, enable the service.

      % svcs \*nfs\*
      disabled       Nov_02   svc:/network/nfs/rquota:default
      offline        Nov_02   svc:/network/nfs/server:default
      # svcadm enable network/nfs/server
    • If the NFS service is running, restart the service.

      % svcs \*nfs\*
      online         Nov_02   svc:/network/nfs/client:default
      online         Nov_02   svc:/network/nfs/server:default
      # svcadm restart network/nfs/server

    For more information about the NFS service, refer to Setting Up NFS Services in System Administration Guide: Network Services. For information on managing persistent services, see Chapter 16, Managing Services (Overview), in System Administration Guide: Basic Administration and the smf(5) man page.