64 SPARC Enterprise Mx000 Servers Administration Guide • April 2007
Audit Records
Audit records are stored in audit files on a 4-megabyte file system on the Service
Processor. You cannot change the size reserved for the audit files, but you can
transfer the files manually to remote storage at any time. You can also configure
auditing for automatic transfers.
Audit files are stored in binary format, although you can export them to XML.
The audit file system switches storage between two partitions. Audit records are
stored in one partition until it becomes full, then new records are stored in the other
partition. Records in a full partition can be moved to a remote location, according to
the audit policy.
If audit policy or network problems impede remote storage, the system generates an
alarm. You can clear space by manually transferring the files to remote storage or by
deleting them. Until you clear space, new records are dropped.
Because local space is limited to 4 megabytes, the partitions fill up quickly. If you do
not configure audit policy to automatically transfer files to remote storage, you will
have to intervene frequently or begin to drop records. If you are unable to maintain
consistent audit trails, the utility of the audit system is limited. Typically, you either
set up sufficient remote space and automatic transfers or disable the audit capability.
Audit Events
Audit events are:
■ Changes to the Service Processor configuration, for example, an IP address
change
■ Any request to perform an operation on an object protected by the access control
policy
■ All use of authentication
■ Tests of password strength, for example, tests done by the password command to
check whether a password contains enough nonalphabetical characters
■ Modifications to the access control attributes associated with an object, for
example, changes to controls on which domains a board might be in
■ Changes made to user security attributes, for example, password or privileges
■ Reading information from the audit records (including unsuccessful attempts)
■ Modifications to the audit policy
■ Actions taken due to the exceeding of a audit trail size threshold
■ Actions taken due to audit storage failure
■ Modifications made by administrators to the audit trail