Auditing is enabled by default on Solaris 11.4 and records security-related system events,
like logins, reboots, etc.
The audit files are stored in /var/share/audit.
Overtime this files use quiet some disk space
# cd /var/share/audit/
# du -sh
18.3G .
For later analysis a backup of this files is recommended.
Maybe you have a central archive or security tools for this.
On the Solaris server there is no automatically cleanup
of this files active. This should be done manually from time to time.
For example to delete files older than 3 years.
find /var/share/audit -mtime +1095 -exec rm {} \;
If you are using JomaSoft VDCF you can execute this on all your Solaris 11 Nodes
# su
Password:
# echo "# cleanup audit files older than 3 years" >/var/opt/jomasoft/vdcf/config/script/cleanup_audit
# echo "find /var/share/audit -mtime +1095 -exec rm {} \;" >>/var/opt/jomasoft/vdcf/config/script/cleanup_audit
# exit
-bash-5.2$ config -c add type=SCRIPT name=cleanup_audit script=cleanup_audit os=11
Configuration SCRIPT successfully added.
-bash-5.2$ serverconfig -c exec servertype=node type=SCRIPT name=cleanup_audit
INFO: Servertype <node> selected, the following 'running' server are processed:
....
To learn more about Solaris Auditing take a look into the
Doc "Managing Auditing in Oracle Solaris 11.4"
https://docs.oracle.com/cd/E37838_01/html/E61027/index.html
Checkout what you can do with JomaSoft VDCF
https://www.jomasoft.com/vdcf/
28 September 2024
Cleanup Oracle Solaris Audit files
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment