test

Trusted Solaris Audit Administration

Audit Files Backup and Recovery

Audit files occupy disk space. The disk space needs to be freed up in order to make space for subsequent audit files. By default, the role oper handles audit file backup via the profile Media Backup and the role admin handles audit file restore via the profile Media Restore.

To Back Up Audit Files

  1. As the role oper in an admin_high workspace, go to the workstation's audit files directory.


    $ cd /etc/security/audit/workstation_name[.n]/files

  2. Allocate, at the label admin_high, the tape drive that you are going to use for backup.

    If you are unfamiliar with device allocation, see "To Allocate and Deallocate Devices".

  3. Use the tar(1) command to copy the completed audit files and their Trusted Solaris security attributes, such as the label, to the tape.

    For example,


    $ tar cvT \
/etc/security/audit/workstation_name/files/19980413120429.19980413180433.grebe \
/etc/security/audit/workstation_name/files/19980502120429.19980502180433.grebe \
/etc/security/audit/workstation_name/files/19980513120429.19980513180433.grebe

  4. Deallocate the tape drive when finished, remove the tape, and label it admin_high.

  5. At the same time, in an admin_low workspace, back up system files that capture information about the users, labels, roles, and execution profiles on the workstation.

    Store the audit tapes with the current system information tape(s).

  6. As root, at label admin_high, remove the audit files that have been backed up.

    For example,


    $ rm \
/etc/security/audit/workstation_name/files/19980413120429.19980413180433.grebe \
/etc/security/audit/workstation_name/files/19980502120429.19980502180433.grebe \
/etc/security/audit/workstation_name/files/19980513120429.19980513180433.grebe

To Restore Audit Files

  1. As role admin, in an admin_high workspace, go to the directory where the audit files are to be placed.


    $ cd /etc/security/audit/workstation_name[.n]/reports

  2. Allocate, at the label admin_high, the tape drive that you are going to use to restore the files.

    If you are unfamiliar with device allocation, see "To Allocate and Deallocate Devices".

  3. Use the tar(1) command to copy the audit files and their Trusted Solaris security attributes, such as the label, from the tape.

    For example,


    $ tar xvT \
/etc/security/audit/workstation_name/files/19980513120429.19980513180433.grebe

  4. Deallocate the tape drive when finished and follow the Device Manager's instructions.

  5. Use the restored audit files.

    You may need to restore or refer to other system information from the audit backup's associated system backup.

  6. As role admin, at label admin_high, remove the audit files when you are done.


    $ rm \
/etc/security/audit/workstation_name/reports/19980513120429.19980513180433.grebe