News, tips, partners, and perspectives for the Oracle Solaris operating system

Automated management of the Solaris Audit trail

Darren Moffat
Senior Software Architect

The Solaris audit_binfile(7) module for auditd provides the ability to specify by age (in hours, days, months etc) or by file size when to close the currently active audit trail file and start a new one.  This is intended to be used to ensure any single audit file doesn't grow to large.

What this doesn't do is provide a mechanism to automatically age out old audit records from closed audit files after a period of time.  Using the SMF periodic service feature (svc.periodicd) and the auditreduce(8) record selection and merging facitilites we can every easily build some automation.

For this example I'm going to assume that specification of the period can be expressed in terms of days alone, that makes implementing this as an SMF periodic service and the resulting conversion of that policy into arguements for auditreduce(8) nice and easy.

First create the method script in /lib/svc/method/site-audit-manage (making sure it is executable):

/usr/sbin/auditreduce -D $(hostname) -a $(gdate -d "$1 days ago" +%Y%m%d)

This tells auditreduce to merge all of the closed audit files from N days ago into one new file, where N is specified as the first argument.

Then we can use svcbundle(8) to turn that into a periodic service.

# svcbundle -i -s service-property=config:days:count:90 -s interval=month -s day_of_month=1 -s start-method="/lib/svc/method/site-audit-manage %{config/days}" -s service-name=site/audit-manage

That creates and installs a new periodic SMF service that will run on the first day of the month and run the above method script with 90 as the number of days. If we later want to change the policy to be 180 days we can do that with the svccfg command thus:

# svccfg -s site/audit-manage setprop config/days = 180
# svccfg -s site/audit-manage refresh

Note that the method script uses the GNU coreutils gdate command to do the easy conversion of "N days ago", this is delivered in pkg:/file/gnu-coreutils, this package is installed by default for solaris-large-server and solaris-desktop group packages but not for solaris-small-server or solaris-minimal so you may need to manually add it.


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.