Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019
 
 

How to Create ZFS File Systems for Audit Files

This procedure shows how to create a ZFS pool for audit files, as well as the corresponding file systems and mount point. By default, /var/audit holds audit files for the audit_binfile plugin.

Before You Begin

You must become an administrator who is assigned the ZFS File System Management and ZFS Storage Management rights profiles. The latter profile enables you to create storage pools. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Determine the amount of disk space that is required.

    How much auditing you require dictates the disk space requirements.

    Note -  The default class preselection creates files in /var/audit that grow by about 80 bytes for every recorded instance of an event in the lo class, such as a login, logout, or role assumption.
  2. Create a mirrored ZFS storage pool.

    The zpool create command creates a storage pool, that is, a container for the ZFS file systems. For more information, see Chapter 1, Introducing the Oracle Solaris ZFS File System in Managing ZFS File Systems in Oracle Solaris 11.3.

    # zpool create audit-pool mirror disk1 disk2

    For example, create the auditp pool from two disks, c3t1d0 and c3t2d0, and mirror them.

    # zpool create auditp mirror c3t1d0 c3t2d0
  3. Create a ZFS file system and mount point for the audit files.

    You create the file system and mount point with one command. At creation, the file system is mounted. For example, the following illustration shows audit trail storage that is stored by host name.


    image:Graphic shows an audit root directory whose top directory names are host names. 
    # zfs create -o mountpoint=/mountpoint audit-pool/mountpoint

    For example, create the /audit mount point for the auditf file system.

    # zfs create -o mountpoint=/audit auditp/auditf
  4. Create a ZFS file system for the audit files. 
    # zfs create -p auditp/auditf/system

    For example, create an unencrypted ZFS file system for the sys1 system.

    # zfs create -p auditp/auditf/sys1
  5. (Optional) Create additional file systems for audit files.

    One reason to create additional file systems is to prevent audit overflow. You can set a ZFS quota per file system, as shown in Step 7. The audit_warn email alias notifies you when each quota is reached. To free space, you can move the closed audit files to a remote server.

    # zfs create -p auditp/auditf/sys1.1

# zfs create -p auditp/auditf/sys1.2
  6. Compress the audit files in the pool.

    Typically, compression is set in ZFS at the file system level. However, in this example, because all the file systems in this pool contain audit files, compression is set at the top-level dataset for the pool.

    # zfs set compression=on auditp

    See also Interactions Between ZFS Compression, Deduplication, and Encryption Properties in Managing ZFS File Systems in Oracle Solaris 11.3.

  7. Set quotas.

    You can set quotas at the parent file system, the descendant file systems, or both. If you set a quota on the parent audit file system, quotas on the descendant file systems impose an additional limit.

    1. Set a quota on the parent audit file system.

      In the following example, when both disks in the auditp pool reach the quota, the audit_warn script notifies the audit administrator.

      # zfs set quota=510G auditp/auditf
    2. Set a quota on the descendant audit file systems.

      In the following example, when the quota for the auditp/auditf/system file system is reached, the audit_warn script notifies the audit administrator.

      # zfs set quota=170G auditp/auditf/sys1

# zfs set quota=170G auditp/auditf/sys1.1

# zfs set quota=165G auditp/auditf/sys1.2
  8. For a large pool, limit the size of the audit files.

    By default, an audit file can grow to the size of the pool. For manageability, limit the size of the audit files. See Example 21, Limiting File Size for the audit_binfile Plugin.

Example 19  Creating an Encrypted File System for Audit Archiving

To comply with site security requirements, the administrator performs the following steps:

  1. Creates, if necessary, a new ZFS pool to store the encrypted audit logs.

  2. Generates an encryption key.

  3. Creates the audit file system with encryption turned on to store the audit logs, as well as sets the mount point.

  4. Configures auditing to use the encrypted directory.

  5. Refreshes the audit service to apply the new configuration settings.


# zpool create auditp mirror disk1 disk2


# pktool genkey keystore=file outkey=/filename keytype=aes keylen=256

# zfs create -o encryption=aes-256-ccm \
-o keysource=raw,file:///filename \
-o compression=on -o mountpoint=/audit auditp/auditf

# auditconfig -setplugin audit_binfile p_dir=/audit/

# audit -s

You must back up and protect the file where the key is stored, such as filename in the example.

When the administrator creates additional file systems under the auditf file system, these descendant file systems are also encrypted.

Example 20  Setting a Quota on /var/audit

In this example, the administrator sets a quota on the default audit file system. When this quota is reached, the audit_warn script warns the audit administrator.

# zfs set quota=252G rpool/var/audit
Copyright © 2002, 2019, Oracle and/or its affiliates. All rights reserved. 
Previous
Next