During installation, the install team creates dedicated audit partition(s) when formatting the disks.
Use the naming convention /etc/security/audit/workstation_name(.n)
A diskfull workstation should have at least one local audit directory, which it can use as a directory of last resort, if unable to communicate with the audit server.
See "Audit Storage" for an explanation of the naming convention.
On an audit file server, most partitions hold audit files, as is shown in the following example of the egret audit file server:
Disk |
Slice |
Mount point |
Size |
---|---|---|---|
c0t2d0 |
s0 |
/etc/security/audit/egret |
1.0 GB |
|
s1 |
/etc/security/audit/egret.1 |
.98 GB |
|
s2 |
entire disk |
1.98 GB |
c0t2d1 |
s0 |
/etc/security/audit/egret.2 |
502 MB |
|
s1 |
/etc/security/audit/egret.3 |
500 MB |
|
s2 |
entire disk |
1002 MB |
Another disk holds egret's / (root) and /swap partitions.
On a diskfull workstation, including the audit administration server, at least one partition should be dedicated to local audit files, as is shown in the following example of the workstation willet:
Disk |
Slice |
Mount point |
Size (MB) |
---|---|---|---|
c0t3d0 |
s0 |
/ |
70 |
|
s1 |
swap |
180 |
|
s2 |
entire disk |
1002 |
|
s3 |
/usr |
350 |
|
s4 |
/etc/security/audit/willet |
202 |
|
s7 |
/export/home |
200 |
A rule of thumb is to assign 200 MB of space for each workstation. However, the disk space requirements at your site will be based on how much auditing you perform and may be far greater than this figure.
Fewer and large partitions are more efficient than more and smaller ones.
To add a disk to hold audit partitions after installing the workstation, see the Solaris 7 System Administration Guide, Volume II. To protect the disks with Trusted Solaris security attributes, see Trusted Solaris Administrator's Procedures.