Cleanup Oracle Solaris Audit files

Auditing is enabled by default on Solaris 11.4 and records security-related system events,
like logins, reboots, etc.

The audit files are stored in /var/share/audit.
Overtime this files use quiet some disk space

# cd /var/share/audit/
# du -sh
18.3G   .

For later analysis a backup of this files is recommended.
Maybe you have a central archive or security tools for this.

On the Solaris server there is no automatically cleanup
of this files active. This should be done manually from time to time.

For example to delete files older than 3 years.
find /var/share/audit -mtime +1095 -exec rm {} \;

If you are using JomaSoft VDCF you can execute this on all your Solaris 11 Nodes

# su
Password:
# echo "# cleanup audit files older than 3 years" >/var/opt/jomasoft/vdcf/config/script/cleanup_audit
# echo "find /var/share/audit -mtime +1095 -exec rm {} \;" >>/var/opt/jomasoft/vdcf/config/script/cleanup_audit

# exit
-bash-5.2$ config -c add type=SCRIPT name=cleanup_audit script=cleanup_audit os=11
Configuration SCRIPT successfully added.

-bash-5.2$ serverconfig -c exec servertype=node type=SCRIPT name=cleanup_audit
INFO: Servertype <node> selected, the following 'running' server are processed:
....

To learn more about Solaris Auditing take a look into the
Doc "Managing Auditing in Oracle Solaris 11.4"
https://docs.oracle.com/cd/E37838_01/html/E61027/index.html

Checkout what you can do with JomaSoft VDCF
https://www.jomasoft.com/vdcf/

New Features in Solaris 11.4 SRU72 (Aug 2024)

Another quarterly Solaris SRU including new features

System Account Check Service (svc:/system/check/user)
iostat sstore collection
Per-disk kstats for vds/zvblk
WebUI - LDom sheets
ZFS clonedir

FOSS: +suricata (IDS)

EOF: Python 3.7, Tomcat 8.5, Perl 5.36, Snort


Find details on the Oracle Solaris Blog

 

Oracle Solaris ASR troubleshooting

In a few cases I expected an ASR SR would be opened, but it did not happen.
If there are special characters in the fault the ASR manager
can't handle the request.

This can be found in the ASR Manager log

/var/opt/asrmanager/log/asr-http.log

To make ASR work correctly you have to remove the old "bad"
xml files from the ASR client.

# pwd
/var/fm/asr/msgs

# ls -tlr
total 1827
-rw-r--r--   1 noaccess noaccess    3136 Jul 30 22:32 heartbeat.xml
-rw-r--r--   1 noaccess noaccess  910240 Jul 30 22:33 audit.xml
-rw-r--r--   1 noaccess noaccess   10604 Jul 31 10:43 fault-f680bb98-d016-4259-bc00-941858fcaced.xml

rm fault-*.xml

How to send files to Oracle Support SR using ASR Manager

Most of the time it is required to attach additional files to Oracle Support Cases,
for example ILOM/XSCF snapshots or Logfiles.

If you use the ASR Manager on Solaris it is very easy to attach
additional files. It includes a transport tool. No need to copy files to
your local machine and to upload using a Browser.

Check if you use the ASR Manager

# svcs |grep asrm
online         2024-05-08T17:29:45 svc:/application/management/asrm:default

You can just copy your files into this directory

/var/opt/asrmanager/sftransport/transfer/

The files need to start with your SR-Number, for example
3-31234567890.mylogfile

The files are transported to Oracle Support and attached
to your SR every 10 minutes.

You can check the state using

/opt/asrmanager/bin/sftransport info

New Features in Solaris 11.4 SRU69 (May 2024)

Another quarterly Solaris SRU including new features

sshd_config.d/*.conf
zoneadm log
autofs SMF refresh
ps -I (ISO 8601 format)
svccfg setnotify from= header
svc:/network/ldap/identity:openldap
modinfo -x

Oracle Cloud Systems TechDay 2024 in Prague

Tuesday, June 11th

Cloud, Security, Automation, Systems

Register here:
https://eventreg.oracle.com/profile/web/index.cfm?PKwebID=0x874552abcd
 

See you there!

OpenJDK 17 is available for Solaris 11.4 SPARC

Great work by Peter Tribble
http://www.petertribble.co.uk/

Download page
https://pkgs.tribblix.org/openjdk/sparc-solaris/