test

Trusted Solaris Audit Administration

Audit Storage

On every system, the /etc/security/audit directory contains subdirectories with all the audit log files. The /etc/security directory contains files related to audit configuration. Because the /etc/security directory contains the per-system audit_data file, which is used by the audit daemon at boot time, the /etc/security directory must be part of the root file system.

The audit postselection tools look in directories under /etc/security/audit by default. For this reason, the pathname of the mount point for the first audit file system on an audit server is in the form: /etc/security/audit/server-name (where server-name is the name of the audit server). If more than one audit partition is on an audit server, the name of the second mount point is: /etc/security/audit/server-name.1, the third is /etc/security/audit/server-name.2, and so forth.

For example, the names of the audit file systems available on the audit file server audubon are /etc/security/audit/audubon and /etc/security/audit/audubon.1.

Each audit file system has a subdirectory named files. This files subdirectory is where the audit files are located and where the auditreduce commands looks for them. For example, the audit file system on audit server audubon has a files subdirectory whose full pathname is: /etc/security/audit/audubon/files.

The local audit_control file on each system directs the audit daemon to put the audit files in the files subdirectory. For example, the dir: line for the audit_control file on a system mounting the audit file system from eagle is:

dir: /etc/security/audit/eagle/files

The extra level of hierarchy prevents a system's local root file system from filling with audit files when (for whatever reason) the /etc/security/audit/server-name[.suffix] directory is not available on the audit server. Because the files subdirectory is present on the audit server and the clients use the same naming convention for their local audit log files, /etc/security/audit/client-name, audit files cannot be created unintentionally in the local mount-point directory if the mount fails.

Permissions on Audit Directories

In a Trusted Solaris environment, audit directories, such as the /etc/security/audit/system_name directory and the files directory directly beneath it, should be protected at the label admin_high. Permissions should be 750.