In this procedure, you use attributes to the audit_binfile plugin to assign additional disk space to the audit trail.
Before You Begin
You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
Read the OBJECT ATTRIBUTES section of the audit_binfile(5) man page.
# man audit_binfile ... OBJECT ATTRIBUTES The p_dir attribute specifies where the audit files will be created. The directories are listed in the order in which they are to be used. The p_minfree attribute defines the percentage of free space that the audit system requires before the audit daemon invokes the audit_warn script. The p_fsize attribute defines the maximum size that an audit file can become before it is automatically closed and a new audit file is opened. ... The format of the p_fsize value can be specified as an exact value in bytes or in a human-readable form with a suffix of B, K, M, G, T, P, E, Z (for bytes, kilobytes, megabytes, gigabytes, terabytes, petabytes, exabytes, or zettabytes, respectively). Suffixes of KB, MB, GB, TB, PB, EB, and ZB are also accepted.
The default file system is /var/audit.
# auditconfig -setplugin audit_binfile p_dir=/audit/sys1.1,/var/audit
The preceding command sets the /audit/sys1.1 file system as the primary directory for audit files and the default /var/audit file system as the secondary directory. In this scenario, /var/audit is the directory of last resort. For this configuration to succeed, the /audit/sys1.1 file system must exist.
A similar file system is created in How to Create ZFS File Systems for Audit Files.
The auditconfig -setplugin command sets the configured value. This value is a property of the audit service, so it is restored when the service is refreshed or restarted. The configured value becomes active when the audit service is refreshed or restarted. For information about configured and active values, see the auditconfig(1M) man page.
# audit -s
In the following example, the size of a binary audit file is set to a specific size. The size is specified in megabytes.
# auditconfig -setplugin audit_binfile p_fsize=4M # auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1;
By default, an audit file can grow without limit. To create smaller audit files, the administrator specifies a file size limit of 4 MB. The audit service creates a new file when the size limit is reached. The file size limit goes into effect after the administrator refreshes the audit service.
# audit -sExample 4-4 Specifying Time for Log Rotation
In the following example, a time limit is set for an audit file. The time limit is specified in terms of hours, days, weeks, months, or years.
# auditconfig -setplugin audit_binfile "p_age=1w" # auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/var/audit;p_age=1w; Queue size: 200
By default, an audit file has no time limit. The file remains open indefinitely until an external operation causes a file rotation. The administrator sets the file's time limit to one week, beyond which a new audit file is opened. To implement the new time limit, the administrator refreshes the audit service.
# audit -sExample 4-5 Specifying Several Changes to an Audit Plugin
In the following example, the administrator on a system with high throughput and a large ZFS pool changes the queue size, the binary file size, and the soft limit warning for the audit_binfile plugin. The administrator allows audit files to grow to 4 GB, is warned when 2 percent of the ZFS pool remains, and doubles the allowed queue size. The default queue size is the high water mark for the kernel audit queue, 100, as in active audit queue hiwater mark (records) = 100. The audit file is also set to have a time limit of 2 weeks.
# auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=2G;p_minfree=1; # auditconfig -setplugin audit_binfile \ "p_minfree=2;p_fsize=4G;p_age=2w" 200 # auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;p_age=2w; Queue size: 200
The changed specifications go into effect after the administrator refreshes the audit service.
# audit -sExample 4-6 Removing Queue Size for an Audit Plugin
In the following example, the queue size for the audit_binfile plugin is removed.
# auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2; Queue size: 200 # auditconfig -setplugin audit_binfile "" 0 # auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;
The empty quotation marks ("") retain the current attribute values. The final 0 sets the queue size for the plugin to the default.
The change in qsize specification for the plugin goes into effect after the administrator refreshes the audit service.
# audit -sExample 4-7 Setting a Soft Limit for Warnings
In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when two percent of the file system is still available.
# auditconfig -setplugin audit_binfile p_minfree=2
The default percentage is one (1). For a large ZFS pool, choose a reasonably low percentage. For example, 10 percent of a 16 TB pool is around 16 GB, which would warn the audit administrator when plenty of disk space remains. A value of 2 sends the audit_warn message when about two GB of disk space remains.
The audit_warn email alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias.
For a large pool, the administrator also limits the file size to 3 GB.
# auditconfig -setplugin audit_binfile p_fsize=3G
The p_minfree and p_fsize specifications for the plugin go into effect after the administrator refreshes the audit service.
# audit -s