Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

How to Assign Audit Space for the Audit Trail

In this procedure, you use attributes to the audit_binfile plugin to assign additional disk space to the audit trail.

Before You Begin

You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Determine the attributes to the audit_binfile plugin.

    Read the OBJECT ATTRIBUTES section of the audit_binfile(5) man page.

    # man audit_binfile
    
    ...
    OBJECT ATTRIBUTES
    The p_dir attribute specifies where the audit files will be created.
    The directories are listed in the order in which they are to be used.
    
    The p_minfree attribute defines the percentage of free space that the
    audit system requires before the audit daemon invokes the audit_warn
    script.
    
    The p_fsize attribute defines the maximum size that an audit
    file can become before it is automatically closed and a new
    audit file is opened. ... The format of the p_fsize value can
    be specified as an exact value in bytes or in a human-readable
    form with a suffix of  B,  K, M, G, T, P, E, Z (for bytes,
    kilobytes, megabytes, gigabytes, terabytes,  petabytes, exabytes,
    or zettabytes, respectively). Suffixes of KB, MB, GB, TB, PB, EB,
    and ZB are also accepted.
  2. To add directories to the audit trail, specify the p_dir attribute.

    The default file system is /var/audit.

    # auditconfig -setplugin audit_binfile p_dir=/audit/sys1.1,/var/audit
    

    The preceding command sets the /audit/sys1.1 file system as the primary directory for audit files and the default /var/audit file system as the secondary directory. In this scenario, /var/audit is the directory of last resort. For this configuration to succeed, the /audit/sys1.1 file system must exist.

    A similar file system is created in How to Create ZFS File Systems for Audit Files.

  3. Refresh the audit service.

    The auditconfig -setplugin command sets the configured value. This value is a property of the audit service, so it is restored when the service is refreshed or restarted. The configured value becomes active when the audit service is refreshed or restarted. For information about configured and active values, see the auditconfig(1M) man page.

    # audit -s
    
Example 4-3  Limiting File Size for the audit_binfile Plugin

In the following example, the size of a binary audit file is set to a specific size. The size is specified in megabytes.

# auditconfig -setplugin audit_binfile p_fsize=4M

# auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1;

By default, an audit file can grow without limit. To create smaller audit files, the administrator specifies a file size limit of 4 MB. The audit service creates a new file when the size limit is reached. The file size limit goes into effect after the administrator refreshes the audit service.

# audit -s
Example 4-4  Specifying Time for Log Rotation

In the following example, a time limit is set for an audit file. The time limit is specified in terms of hours, days, weeks, months, or years.

# auditconfig -setplugin audit_binfile "p_age=1w"

# auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_age=1w;
Queue size: 200

By default, an audit file has no time limit. The file remains open indefinitely until an external operation causes a file rotation. The administrator sets the file's time limit to one week, beyond which a new audit file is opened. To implement the new time limit, the administrator refreshes the audit service.

# audit -s
Example 4-5  Specifying Several Changes to an Audit Plugin

In the following example, the administrator on a system with high throughput and a large ZFS pool changes the queue size, the binary file size, and the soft limit warning for the audit_binfile plugin. The administrator allows audit files to grow to 4 GB, is warned when 2 percent of the ZFS pool remains, and doubles the allowed queue size. The default queue size is the high water mark for the kernel audit queue, 100, as in active audit queue hiwater mark (records) = 100. The audit file is also set to have a time limit of 2 weeks.

# auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_fsize=2G;p_minfree=1;

# auditconfig -setplugin audit_binfile \
      "p_minfree=2;p_fsize=4G;p_age=2w" 200

# auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;p_age=2w;
Queue size: 200

The changed specifications go into effect after the administrator refreshes the audit service.

# audit -s
Example 4-6  Removing Queue Size for an Audit Plugin

In the following example, the queue size for the audit_binfile plugin is removed.

# auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;
Queue size: 200

# auditconfig -setplugin audit_binfile "" 0

# auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;

The empty quotation marks ("") retain the current attribute values. The final 0 sets the queue size for the plugin to the default.

The change in qsize specification for the plugin goes into effect after the administrator refreshes the audit service.

# audit -s
Example 4-7  Setting a Soft Limit for Warnings

In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when two percent of the file system is still available.

# auditconfig -setplugin audit_binfile p_minfree=2

The default percentage is one (1). For a large ZFS pool, choose a reasonably low percentage. For example, 10 percent of a 16 TB pool is around 16 GB, which would warn the audit administrator when plenty of disk space remains. A value of 2 sends the audit_warn message when about two GB of disk space remains.

The audit_warn email alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias.

For a large pool, the administrator also limits the file size to 3 GB.

# auditconfig -setplugin audit_binfile p_fsize=3G

The p_minfree and p_fsize specifications for the plugin go into effect after the administrator refreshes the audit service.

# audit -s