Audit files can grow large. You can set an upper limit to the size of a file, as shown in Example 20, Limiting File Size for the audit_binfile Plugin. In this procedure, you use compression to reduce the size.
Before You Begin
The root role can perform every task in this procedure.
If administrative rights are distributed in your organization, note the following:
An administrator who is assigned the solaris.admin.edit/etc/security/audit_class authorization can modify the file.
An administrator with the Audit Control rights profile can refresh the audit service.
An administrator with the ZFS File System Management rights profile can configure ZFS file systems.
An administrator with the ZFS Storage Management rights profile can create storage pools.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
For the procedure, see How to Create ZFS File Systems for Audit Files.
You can compress the audit file system in two different ways. After the audit service is refreshed, the compression ratio is displayed.
In the following examples, the ZFS pool auditp/auditf is the dataset.
$ pfbash ; zfs set compression=on auditp/auditf $ audit -s $ zfs get compressratio auditp/auditf NAME PROPERTY VALUE SOURCE auditp/auditf compressratio 4.54x -
$ zfs set compression=gzip-9 auditp/auditf $ zfs get compression auditp/auditf NAME PROPERTY VALUE SOURCE auditp/auditf compression gzip-9 local
The gzip-9 compression algorithm results in files that occupy one-third less space than the default compression algorithm, lzjb. For more information, see Chapter 7, Managing Oracle Solaris ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.4.
$ audit -s
For example, if you used the higher compression algorithm, the information would be similar to the following:
$ zfs get compressratio auditp/auditf NAME PROPERTY VALUE SOURCE auditp/auditf compressratio 16.89x -