Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019

Configuring Audit Space for the Audit Trail and Audit Files

You can use the attributes for the audit_binfile plugin to assign additional disk space to the audit trail.

You must become an administrator who is assigned the Audit Configuration rights profile to set these attribute values. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

The attributes to the audit_binfile plugin are described in OBJECT ATTRIBUTES section of the audit_binfile(7) man page.

p_dir attribute

Specifies where the audit files will be created. The directories are listed in the order in which they are to be used.

p_minfree attribute

Defines the percentage of free space that the audit system requires before the audit daemon invokes the audit_warn script.

p_fsize attribute

Defines the maximum size that an audit file can become before it is automatically closed and a new audit file is opened. The format of the p_fsize value can be specified as an exact value in bytes or in a human-readable form with a suffix of B, K, M, G, T, P, E, Z (for bytes, kilobytes, megabytes, gigabytes, terabytes, petabytes, exabytes, or zettabytes, respectively). Suffixes of KB, MB, GB, TB, PB, EB, and ZB are also accepted.

See the following examples showing how to configure the audit space.


Caution  -  When you have finished making configuration change, you must refresh the audit service. The auditconfig -setplugin command sets the configured value. This value is a property of the audit service, so it is restored when the service is refreshed or restarted. The configured value becomes active when the audit service is refreshed or restarted. For information about configured and active values, see the auditconfig(8) man page.

$ audit -s

Example 19  Adding Directories to the Audit Trail

In this example, the p_dir attribute is used to add directories.

/var/audit functions as the default file system.

$ auditconfig -setplugin audit_binfile p_dir=/audit/sys1.1,/var/audit

The preceding command sets the /audit/sys1.1 file system as the primary directory for audit files and the default /var/audit as the secondary directory. In this scenario, /var/audit functions as the directory of last resort. For this configuration to succeed, the /audit/sys1.1 file system must exist.

A similar file system is created in How to Create ZFS File Systems for Audit Files.

Example 20  Limiting File Size for the audit_binfile Plugin

In this example, the size of a binary audit file is set to a specific size. The size is specified in megabytes.

$ auditconfig -setplugin audit_binfile p_fsize=4M

$ auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_age=0h;p_dir=/var/audit;p_minfree=1;p_fsize=4M;

By default, an audit file can grow without limit. To create smaller audit files, the administrator specifies a file size limit of 4 MB. The audit service creates a new file when the size limit is reached. The file size limit goes into effect after the administrator refreshes the audit service.

$ audit -s
Example 21  Specifying Time for Log Rotation

In this example, a time limit is set for an audit file. The time limit is specified in terms of hours, days, weeks, months, or years.

$ auditconfig -setplugin audit_binfile p_age=1w

$ auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_minfree=1;p_fsize=4M;p_age=1w;
Queue size: 200

By default, an audit file has no time limit. The file remains open indefinitely until an external operation causes a file rotation. The administrator sets the file's time limit to one week, beyond which a new audit file is opened. To implement the new time limit, the administrator refreshes the audit service.

$ audit -s
Example 22  Specifying Several Changes to an Audit Plugin

In this example, the administrator on a system with high throughput and a large ZFS pool changes the binary file size, and the soft limit warning for the audit_binfile plugin. The administrator allows audit files to grow to 4 GB, is warned when 2 percent of the ZFS pool remains. The audit file is also set to have a time limit of 2 weeks.

$ auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_fsize=2G;p_minfree=1;

$ auditconfig -setplugin audit_binfile \
      "p_minfree=2;p_fsize=4G;p_age=2w" 200

$ auditconfig -getplugin audit_binfile
Plugin: audit_binfile
Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;p_age=2w

The changed specifications go into effect after the administrator refreshes the audit service.

$ audit -s
Example 23  Setting a Soft Limit for Warnings

In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when two percent of the file system is still available.

$ auditconfig -setplugin audit_binfile p_minfree=2

The default percentage is one (1). For a large ZFS pool, choose a reasonably low percentage. For example, 10 percent of a 16 TB pool is around 16 GB, which would warn the audit administrator when plenty of disk space remains. A value of 2 sends the audit_warn message when about two GB of disk space remains.

The audit_warn email alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias.

For a large pool, the administrator also limits the file size to 3 GB.

$ auditconfig -setplugin audit_binfile p_fsize=3G

The p_minfree and p_fsize specifications for the plugin go into effect after the administrator refreshes the audit service.

$ audit -s