Gary Winiger wrote:
> I'm sponsoring this case for Marek Pospisil and the Solaris Audit
> project team. It requests a Minor Release Binding and an unchanged
> interface taxonomy.
>
> I believe it qualifies for self-review and have marked it "closed approved
> automatic." I'm happy to turn it into a fast track and set a timer if
> anyone believes I've misjudged.
>
+1 in advance in case someone does do so. :-)
-- Garrett
> Full diffmarked man pages are in the case directory.
>
> Gary..
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Background:
> ==========
> Historically, Solaris Auditing required the administrator to run the
> now obsolete bsmconv(1m) command, configure auditing and REBOOT.
> To disable auditing the administrator had to run the now obsolete
> bsmunconv(1m) command and REBOOT. Customer feedback from most enterprise
> shops has consistently been that rebooting has been an impedement to
> their use of Solaris Auditing. See also, RFE 6192139 Solaris auditing should
> always be enabled
>
> bsmconv has contained two functions. One was to modify system(4) to
> load the Solaris Audit kernel module (set c2audit:audit_load = 1), thus
> requiring the reboot, and enable the audit service. The other was to
> configure device allocation, allocate(1). In preparation for this case
> and one that rearchitects device allocation to be always available,
> PSARC/2008/787 Obsolete of some Solaris Audit commands, obsoleted
> bsmconv/bsmunconv. A future case when device allocation no longer requires
> running bsmconv/bsmunconv will request their removal. With the integration
> of this case, bsmconv/bsmunconv will still enable/disable the audit service
> and
> configure/disable device allocation.
>
> If desired, it remains possible to modify system(4) to cause the audit
> module not to be loaded (exclude c2audit).
>
> Proposal:
> ========
> No longer require the modification of system(4) and the implied reboot.
> Solaris Auditing will always be available to be configured and then
> enabled either by bsmconv(1m) if device allocation is also desired or
> by audit(1m) -s. Solaris Auditing can similarly be disabled by running
> bsmunconv(1m) or by audit(1m) -t.
>
> While audit -s/-t is the preferred, documented, and historic interface for
> enabling(or refreshing)/disabling the audit daemon (from pre-smf days through
> this case), svcadm enable/refresh/disable svc:/system/auditd will work
> as well.
>
> The audit(1m), auditd(1m) and bsmconv/bsmunconv(1m) man pages are updated:
>
> audit(1m):
> ==========
>
> OPTIONS
> -n Notify the audit daemon to close the current
> audit file and open a new audit file in the
> current audit directory.
>
> -s Notify the audit daemon to read the audit control
> file. The audit daemon stores the information
> internally. If the audit daemon is not running,
> - but audit has been enabled by means of
> - bsmconv(1M), the audit daemon is started.
> + enable (start) the audit daemon.
>
> -t Direct the audit daemon to close the current
> - audit trail file, disable auditing, and die. Use
> + audit trail file and disable (stop) the audit daemon. Use
> -s to restart auditing.
>
> -v path Verify the syntax for the audit control file
> stored in path. The audit command displays an
> approval message or outputs specific error mes-
> sages for each error found.
>
> NOTES
> - The functionality described in this man page is available
> - only if the Solaris Auditing feature has been enabled. See
> - bsmconv(1M) for more information.
>
> For the -s option, audit validates the audit_control syntax
> and displays an error message if a syntax error is found. If
> a syntax error message is displayed, the audit daemon does
> not re-read audit_control. Because audit_control is pro-
> - cessed at boot time, the -v option is provided to allow syn-
> + cessed at the time the audit deamon is enabled, the -v
> + option is provided to allow syn-
> tax checking of an edited copy of audit_control. Using -v,
> audit exits with 0 if the syntax is correct; otherwise, it
> returns a positive integer.
>
> auditd(1m):
> ==========
>
> DESCRIPTION
>
> audit(1M) is used to control auditd. It can cause auditd to:
>
> + o to enable auditd if not enabled;
>
> o close the current audit file and open a new one;
>
> o close the current audit file, re-read
> /etc/security/audit_control and open a new audit
> file;
>
> o close the audit trail and terminate auditing.
>
> NOTES
> - The functionality described in this man page is available
> - only if the Solaris Auditing feature has been enabled. See
> - bsmconv(1M) for more information.
>
> - auditd is loaded in the global zone at boot time if auditing
> - is enabled. See bsmconv(1M).
>
> bsmconv/bsmunconv(1m):
> ==========
> ATTRIBUTES
> ____________________________________________________________
> | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
> |_____________________________|_____________________________|
> | Availability | SUNWcsr |
> |_____________________________|_____________________________|
> | Interface Stability | Obsolete Committed |
> |_____________________________|_____________________________|
>
> NOTES
> bsmconv and bsmunconv are not valid in a non-global zone.
>
> These commands are Obsolete and may be removed and replaced
> with equivalent functionality in a future release of
> Solaris.
>
> + The audit(1M) command may also be used to enable Solaris Auditing.
>
