You can use the attributes for the audit_binfile plugin to assign additional disk space to the audit trail.
You must become an administrator who is assigned the Audit Configuration rights profile to set these attribute values. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
The attributes to the audit_binfile plugin are described in OBJECT ATTRIBUTES section of the audit_binfile(7) man page.
Specifies where the audit files will be created. The directories are listed in the order in which they are to be used.
Defines the percentage of free space that the audit system requires before the audit daemon invokes the audit_warn script.
Defines the maximum size that an audit file can become before it is automatically closed and a new audit file is opened. The format of the p_fsize value can be specified as an exact value in bytes or in a human-readable form with a suffix of B, K, M, G, T, P, E, Z (for bytes, kilobytes, megabytes, gigabytes, terabytes, petabytes, exabytes, or zettabytes, respectively). Suffixes of KB, MB, GB, TB, PB, EB, and ZB are also accepted.
See the following examples showing how to configure the audit space.
Caution - When you have finished making configuration change, you must refresh the audit service. The auditconfig -setplugin command sets the configured value. This value is a property of the audit service, so it is restored when the service is refreshed or restarted. The configured value becomes active when the audit service is refreshed or restarted. For information about configured and active values, see the auditconfig(8) man page. $ audit -s |
In this example, the p_dir attribute is used to add directories.
/var/audit functions as the default file system.
$ auditconfig -setplugin audit_binfile p_dir=/audit/sys1.1,/var/audit
The preceding command sets the /audit/sys1.1 file system as the primary directory for audit files and the default /var/audit as the secondary directory. In this scenario, /var/audit functions as the directory of last resort. For this configuration to succeed, the /audit/sys1.1 file system must exist.
A similar file system is created in How to Create ZFS File Systems for Audit Files.
Example 20 Limiting File Size for the audit_binfile PluginIn this example, the size of a binary audit file is set to a specific size. The size is specified in megabytes.
$ auditconfig -setplugin audit_binfile p_fsize=4M $ auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_age=0h;p_dir=/var/audit;p_minfree=1;p_fsize=4M;
By default, an audit file can grow without limit. To create smaller audit files, the administrator specifies a file size limit of 4 MB. The audit service creates a new file when the size limit is reached. The file size limit goes into effect after the administrator refreshes the audit service.
$ audit -sExample 21 Specifying Time for Log Rotation
In this example, a time limit is set for an audit file. The time limit is specified in terms of hours, days, weeks, months, or years.
$ auditconfig -setplugin audit_binfile p_age=1w $ auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/var/audit;p_minfree=1;p_fsize=4M;p_age=1w; Queue size: 200
By default, an audit file has no time limit. The file remains open indefinitely until an external operation causes a file rotation. The administrator sets the file's time limit to one week, beyond which a new audit file is opened. To implement the new time limit, the administrator refreshes the audit service.
$ audit -sExample 22 Specifying Several Changes to an Audit Plugin
In this example, the administrator on a system with high throughput and a large ZFS pool changes the binary file size, and the soft limit warning for the audit_binfile plugin. The administrator allows audit files to grow to 4 GB, is warned when 2 percent of the ZFS pool remains. The audit file is also set to have a time limit of 2 weeks.
$ auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=2G;p_minfree=1; $ auditconfig -setplugin audit_binfile \ "p_minfree=2;p_fsize=4G;p_age=2w" 200 $ auditconfig -getplugin audit_binfile Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=4G;p_minfree=2;p_age=2w
The changed specifications go into effect after the administrator refreshes the audit service.
$ audit -sExample 23 Setting a Soft Limit for Warnings
In this example, the minimum free-space level for all audit file systems is set so that a warning is issued when two percent of the file system is still available.
$ auditconfig -setplugin audit_binfile p_minfree=2
The default percentage is one (1). For a large ZFS pool, choose a reasonably low percentage. For example, 10 percent of a 16 TB pool is around 16 GB, which would warn the audit administrator when plenty of disk space remains. A value of 2 sends the audit_warn message when about two GB of disk space remains.
The audit_warn email alias receives the warning. To set up the alias, see How to Configure the audit_warn Email Alias.
For a large pool, the administrator also limits the file size to 3 GB.
$ auditconfig -setplugin audit_binfile p_fsize=3G
The p_minfree and p_fsize specifications for the plugin go into effect after the administrator refreshes the audit service.
$ audit -s