The Audit Configuration, Audit Control and ZFS File System Management profiles are required.
This action applies to the global zone only. Determine the zone that you are currently securing.
# zonename
If the command output is "global", this action applies.
Determine the audit system directory name:
# pfexec auditconfig -getplugin audit_binfile
Plugin: audit_binfile (active)
The output of the command will appear in this form:
Attributes: p_dir=/var/audit;p_fsize=4M;p_minfree=1;
p_dir defines the current audit file system.
Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.
Set a minimum percentage of free space on the audit_binfile plugin to 2%.
# pfexec auditconfig -setplugin audit_binfile p_minfree=2
Restart the audit system.
# pfexec audit -s
Enable compression for the audit filesystem.
# pfexec zfs set compression=on [poolname/filesystemname]
Set a ZFS quota on the default /var/share filesystem for audit records to ensure that the root pool is not filled up with audit logs.
# pfexec zfs set quota=XXG [poolname/filesystemname]
This commands sets the quota to XX Gigabytes. This value should be based upon organizational requirements.
Set a ZFS reservation on the default /var/share filesystem for audit records to ensure that the audit file system is guaranteed a fixed amount of storage.
# pfexec zfs set reservation=XXG [poolname/filesystemname]
This commands sets the quota to XX Gigabytes. This value should be based upon organizational requirements.