test

System Administration Guide: Security Services

How to Create Partitions for Auditing

The following procedure shows how to create partitions for auditing, as well as the corresponding file systems and directories. Skip steps as necessary, depending on if you already have an empty partition, or if you have already mounted an empty file system.

  1. Become superuser or assume an equivalent role.

  2. Determine the amount of disk space that is required.

    Assign at least 200 Mbytes of disk space per host. However, the disk space requirements are based on how much auditing you perform. So, your requirements might be far greater than this figure. Remember to include a partition for a directory of last resort.

  3. Create dedicated audit partitions, as needed.

    This step is most easily done during server installation. You can also create the partitions on disks that have not yet been mounted on the server. For complete instructions on how to create the partitions, see “Creating a UFS File System” in System Administration Guide: Basic Administration.


    newfs /dev/rdsk/cwtxdysz

    Where /dev/rdsk/cwtxdysz is the raw device name for the partition.

    If the local host is to be audited, create an audit directory of last resort for it as well.

  4. Create mount points for each new partition.


    mkdir /var/audit/server-name.n

    Where server-name.n is the name of the server and a number that identifies each partition. The number is optional, but the number is useful when there are many audit directories.

  5. Add entries to automatically mount the new partitions.

    Add a line to the /etc/vfstab file that resembles the following:


    /dev/dsk/cwtxdysz /dev/rdsk/cwtxdysz /var/audit/server-name.n   ufs  2  yes

  6. (Optional) Remove the minimum free space threshold on each partition.

    If you use the default configuration, a warning will be generated when the directory is 80 percent full, so there is no reason to reserve free space on the partition.


    tunefs -m 0 /var/audit/server-name.n

  7. Mount the new audit partitions.


    mount /var/audit/server-name.n

  8. Create audit directories on the new partitions.


    mkdir /var/audit/server-name.n/files

  9. Correct the permissions on the mount points and new directories.


    chmod -R 750 /var/audit/server-name.n/files

  10. (Optional) On a file server, define the file systems to be made available to other hosts.

    Often, disk farms are installed to store the audit records. If an audit directory is to be used by several systems, then the directory must be shared through the NFS service. Add a entry resembling the following for each directory to the /etc/dfs/dfstab file.


    share -F nfs /var/audit/server-name.n/files

  11. (Optional) On a file server, restart the NFS service.

    If this command the first share command or set of share commands that you have initiated, it is probable that the NFS daemons are not running. The following commands kill the daemons and restart them. Refer to “Setting Up NFS Services” in System Administration Guide: Resource Management and Network Services for more information about the NFS service.


    # /etc/init.d/nfs.server stop
# /etc/init.d/nfs.server start

Example — Creating an Audit Directory of Last Resort

All systems that run the auditing service should have a local file system that can be used if no other file system is available. In this example, a file system is being added to a system named egret. Since this file system is only used locally, none of the steps for a file server are followed.


# newfs /dev/rdsk/c0t2d0
# mkdir /var/audit/egret
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret ufs  2  yes  -
# tunefs -m 0 /var/audit/egret
# mount /var/audit/egret
# mkdir /var/audit/egret/files
# chmod -R 750 /var/audit/egret/files

Example — Creating New Audit Partitions

In this example, a new file system is created on two new disks that are to be used by other systems in the network.


# newfs /dev/rdsk/c0t2d0
# newfs /dev/rdsk/c0t2d1
# mkdir /var/audit/egret.1
# mkdir /var/audit/egret.2
# grep egret /etc/vfstab
/dev/dsk/c0t2d0s1  /dev/rdsk/c0t2d0s1  /var/audit/egret.1 ufs  2  yes  -
/dev/dsk/c0t2d1s1  /dev/rdsk/c0t2d1s1  /var/audit/egret.2 ufs  2  yes  -
# tunefs -m 0 /var/audit/egret.1
# tunefs -m 0 /var/audit/egret.2
# mount /var/audit/egret.1
# mount /var/audit/egret.2
# mkdir /var/audit/egret.1/files
# mkdir /var/audit/egret.2/files
# chmod -R 750 /var/audit/egret.1/files /var/audit/egret.2/files
# grep egret /etc/dfs/dfstab
 share -F nfs /var/audit/egret.1/files
 share -F nfs /var/audit/egret.2/files
# /etc/init.d/nfs.server stop
# /etc/init.d/nfs.server start