Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-2250589.1
Update Date:2017-03-31
Keywords:
Solution Type  Technical Instruction Sure

Solution  2250589.1 :   Oracle SuperCluster Best Practice: Audit Log in Dataset with a quota  

Related Items 
    

  • Oracle SuperCluster M7 Hardware
    •  
  • Oracle SuperCluster M6-32 Hardware
    •  
  • Oracle SuperCluster T5-8 Hardware
    •  
  • Oracle SuperCluster Specific Software
    •  
  • Oracle SuperCluster T5-8 Half Rack
    •  
  • SPARC SuperCluster T4-4 Half Rack
    •  
  • Oracle SuperCluster T5-8 Full Rack
    •  
  • SPARC SuperCluster T4-4 Full Rack
    •  
Related Categories 
    

  • PLA-Support>Eng Systems>Exadata/ODA/SSC>SPARC SuperCluster>DB: SuperCluster_EST
    •  
  • Tools>Primary Use>Configuration
    •  




Instructions on how to move the audit log to a ZFS dataset with a quota

In this Document
Goal
Solution

Applies to:

Oracle SuperCluster T5-8 Full Rack - Version All Versions to All Versions [Release All Releases]
Oracle SuperCluster M7 Hardware - Version All Versions and later
Oracle SuperCluster T5-8 Hardware - Version All Versions to All Versions [Release All Releases]
Oracle SuperCluster T5-8 Half Rack - Version All Versions to All Versions [Release All Releases]
Oracle SuperCluster M6-32 Hardware - Version All Versions to All Versions [Release All Releases]
SPARC

Goal

Instruct how to move the audit log to a ZFS dataset with a quota.

Solution

It is a best practice on SuperCluster to move the audit log location to a zfs dataset that contains a quota. This practice prevents excessive auditing from filling up the rpool. The following instructions illustrate how to move the audit log location to a zfs dataset and add a quota.

The procedure is  appropriate for dedicated domains, IOdomains, and zones.

 

Create a zfs dataset.

zfs create -o mountpoint=/audit rpool/audit

Configure audit.

svccfg -s svc:/system/auditd:default setprop audit_binfile/p_dir = astring: "/audit"

 Inform audit.

svcadm refresh svc:/system/auditd:default

 Set quota.

zfs set quota=5G rpool/audit

 

That is all there is to it.

 

What happens when the dataset fills up and no further audit logs are able to be written ? The answer is that it depends.  By default, Solaris has always enabled the 'continue (cnt)' audit policy.  'cnt'  means that audit records generated after the dataset has filled up will be dropped. Thus running processes and future processes will continue to work as expected. When the 'continue (cnt)' policy is not enabled, then the audit subsystem will block and any auditable activity such as logins will also block. 

 


Attachments 
This solution has no attachment
  Copyright © 2018 Oracle, Inc.  All rights reserved.
 Feedback