During the implementation and code review phase of PSARC/2009/208, a few changes to the protocol seemed to be advisable to make before audit_remote(5) was integrated. The version number remains unchanged. Only GSS-API functionality is supported at this time.
Additionally, IANA granted the "solaris-audit" service port 16162/tcp. /etc/services will be updated with this integration. IANA will be sent the updated protocol specification. I've diff marked and updated audit_remote(5) man page and put it in the case directory. If anyone believes it's necessary to reopen the case, I'll do so and set a new timer. Gary.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary of protocol changes: ============================ 1) The protocol version handshake has been changed and moved from within the GSS context to precede GSS context establishment. This change is to allow other forms of OTW protection such as TLS, or even none as might be the case for IPsec protected peers. 2) As part of the GSS security context negotiation, input channel bindings is used to authenticate the version hand shake. 3) An "audit record" sequence number has been added to the sent audit records. That sequence number needs to be returned as part of the message retrieval acknowledgement. This greatly improves the efficiency of audit_remote's receiving thread in verification of the peer's receipt of audit records. Summary of non-protocol changes: ================================ 1) The default timeout has been reduced from 60 seconds to 5 (and the retry algorithm is a semi-exponential backoff) The default number of retries remains 3. 2) The use of TCP_CORK has been eliminated. It didn't appear to provide any benefit. Based on the current Solaris implementation, it seemed to require additional sender code complexity and system calls. If, in the future, this proves to be an unwise decision, TCP_CORK can be re-implemented in audit_remote(5) without affecting the protocol. 3) An explicit outstanding audit record count (rather than the implicit one from the kernel's queue control high water mark) can be specified. The qsize keyword specifies this value. Note that auditd also interprets this keyword for each plugin and allocates plugin specific resources based on it. auditd's default is also the kernel's queue control high water mark.
