This procedure shows how to create a ZFS pool for audit files, as well as the corresponding file systems and mount point. By default, /var/audit holds audit files for the audit_binfile plugin.
Before You Begin
You must become an administrator who is assigned the ZFS File System Management and ZFS Storage Management rights profiles. The latter profile enables you to create storage pools. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
How much auditing you require dictates the disk space requirements.
The zpool create command creates a storage pool, that is, a container for the ZFS file systems. For more information, see Chapter 1, Introducing the Oracle Solaris ZFS File System in Managing ZFS File Systems in Oracle Solaris 11.4.
For example, create the auditp pool from two disks, c3t1d0 and c3t2d0, and mirror them.
$ zpool create auditp mirror c3t1d0 c3t2d0
You create the file system and mount point with one command. At creation, the file system is mounted.
For example, create the /audit mount point for the auditf file system.
$ zfs create -o mountpoint=/audit auditp/auditf
For example, create an unencrypted ZFS file system for the sys1 system.
$ zfs create -p auditp/auditf/sys1
One reason to create additional file systems is to prevent audit overflow. You can set a ZFS quota per file system, as shown in Step 7. The audit_warn email alias notifies you when each quota is reached. To free space, you can move the closed audit files to a remote server.
$ zfs create -p auditp/auditf/sys1.1 $ zfs create -p auditp/auditf/sys1.2
Typically, compression is set in ZFS at the file system level. However, in this example, because all the file systems in this pool contain audit files, compression is set at the top-level dataset for the pool.
$ zfs set compression=on auditp
You can set quotas at the parent file system, the descendant file systems, or both. If you set a quota on the parent audit file system, quotas on the descendant file systems impose an additional limit.
In the following example, when both disks in the auditp pool reach the quota, the audit_warn script notifies the audit administrator.
$ zfs set quota=510G auditp/auditf
In the following example, when the quota for the auditp/auditf/system file system is reached, the audit_warn script notifies the audit administrator.
$ zfs set quota=170G auditp/auditf/sys1 $ zfs set quota=170G auditp/auditf/sys1.1 $ zfs set quota=165G auditp/auditf/sys1.2
By default, an audit file can grow to the size of the pool. For manageability, limit the size of the audit files. See Example 20, Limiting File Size for the audit_binfile Plugin.
To comply with site security requirements, the administrator performs the following steps:
Creates, if necessary, a new ZFS pool to store the encrypted audit logs.
Generates an encryption key.
Creates the audit file system with encryption turned on to store the audit logs, as well as sets the mount point.
Configures auditing to use the encrypted directory.
Refreshes the audit service to apply the new configuration settings.
$ zpool create auditp mirror disk1 disk2 $ pktool genkey keystore=file outkey=/filename keytype=aes keylen=256 $ zfs create -o encryption=aes-256-ccm \ -o keysource=raw,file:///filename \ -o compression=on -o mountpoint=/audit auditp/auditf $ auditconfig -setplugin audit_binfile p_dir=/audit/ $ audit -s
You must back up and protect the file where the key is stored, such as filename in the example.
When the administrator creates additional file systems under the auditf file system, these descendant file systems are also encrypted.