I'm sponsoring this case for Marek Pospisil and the Solaris Audit
project team. It requests a Minor Release Binding and an unchanged
interface taxonomy.
I believe it qualifies for self-review and have marked it "closed approved
automatic." I'm happy to turn it into a fast track and set a timer if
anyone believes I've misjudged.
Full diffmarked man pages are in the case directory.
Gary..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Background:
==========
Historically, Solaris Auditing required the administrator to run the
now obsolete bsmconv(1m) command, configure auditing and REBOOT.
To disable auditing the administrator had to run the now obsolete
bsmunconv(1m) command and REBOOT. Customer feedback from most enterprise
shops has consistently been that rebooting has been an impedement to
their use of Solaris Auditing. See also, RFE 6192139 Solaris auditing should
always be enabled
bsmconv has contained two functions. One was to modify system(4) to
load the Solaris Audit kernel module (set c2audit:audit_load = 1), thus
requiring the reboot, and enable the audit service. The other was to
configure device allocation, allocate(1). In preparation for this case
and one that rearchitects device allocation to be always available,
PSARC/2008/787 Obsolete of some Solaris Audit commands, obsoleted
bsmconv/bsmunconv. A future case when device allocation no longer requires
running bsmconv/bsmunconv will request their removal. With the integration
of this case, bsmconv/bsmunconv will still enable/disable the audit service and
configure/disable device allocation.
If desired, it remains possible to modify system(4) to cause the audit
module not to be loaded (exclude c2audit).
Proposal:
========
No longer require the modification of system(4) and the implied reboot.
Solaris Auditing will always be available to be configured and then
enabled either by bsmconv(1m) if device allocation is also desired or
by audit(1m) -s. Solaris Auditing can similarly be disabled by running
bsmunconv(1m) or by audit(1m) -t.
While audit -s/-t is the preferred, documented, and historic interface for
enabling(or refreshing)/disabling the audit daemon (from pre-smf days through
this case), svcadm enable/refresh/disable svc:/system/auditd will work
as well.
The audit(1m), auditd(1m) and bsmconv/bsmunconv(1m) man pages are updated:
audit(1m):
==========
OPTIONS
-n Notify the audit daemon to close the current
audit file and open a new audit file in the
current audit directory.
-s Notify the audit daemon to read the audit control
file. The audit daemon stores the information
internally. If the audit daemon is not running,
- but audit has been enabled by means of
- bsmconv(1M), the audit daemon is started.
+ enable (start) the audit daemon.
-t Direct the audit daemon to close the current
- audit trail file, disable auditing, and die. Use
+ audit trail file and disable (stop) the audit daemon. Use
-s to restart auditing.
-v path Verify the syntax for the audit control file
stored in path. The audit command displays an
approval message or outputs specific error mes-
sages for each error found.
NOTES
- The functionality described in this man page is available
- only if the Solaris Auditing feature has been enabled. See
- bsmconv(1M) for more information.
For the -s option, audit validates the audit_control syntax
and displays an error message if a syntax error is found. If
a syntax error message is displayed, the audit daemon does
not re-read audit_control. Because audit_control is pro-
- cessed at boot time, the -v option is provided to allow syn-
+ cessed at the time the audit deamon is enabled, the -v
+ option is provided to allow syn-
tax checking of an edited copy of audit_control. Using -v,
audit exits with 0 if the syntax is correct; otherwise, it
returns a positive integer.
auditd(1m):
==========
DESCRIPTION
audit(1M) is used to control auditd. It can cause auditd to:
+ o to enable auditd if not enabled;
o close the current audit file and open a new one;
o close the current audit file, re-read
/etc/security/audit_control and open a new audit
file;
o close the audit trail and terminate auditing.
NOTES
- The functionality described in this man page is available
- only if the Solaris Auditing feature has been enabled. See
- bsmconv(1M) for more information.
- auditd is loaded in the global zone at boot time if auditing
- is enabled. See bsmconv(1M).
bsmconv/bsmunconv(1m):
==========
ATTRIBUTES
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsr |
|_____________________________|_____________________________|
| Interface Stability | Obsolete Committed |
|_____________________________|_____________________________|
NOTES
bsmconv and bsmunconv are not valid in a non-global zone.
These commands are Obsolete and may be removed and replaced
with equivalent functionality in a future release of
Solaris.
+ The audit(1M) command may also be used to enable Solaris Auditing.
