Phi Tran wrote: > Gary Winiger wrote: > >>>>>> How does this project meet the audit requirements for >>>>>> auditing a system discontinuity? >>>>>> >>>>>> Before this project, when the system is shutdown (halt(1M), >>>>>> reboot(1M), uadmin(1M)), an audit record is written indicating >>>>>> the start of a discontinuity, the audit trail is flushed to >>>>>> disk, the current audit trail file closed, the audit service is >>>>>> temporarially disabled. Upon reboot, the kernel genereates >>>>>> a boot audit record. When the audit service is started >>>>>> during svc.startd processing, a new audit trail file is created >>>>>> and the boot audit record is recorded in that file. >>>>>> >>>>>> Note also prom entry and exit are audited. >>>>>> >>>>>> Gary.. >>>>> >>>>> >>>>> The base calls will be init(1M), reboot(1M), and uadmin(1M) which are >>>>> all audited like you said. Are you saying the auditing there isn't >>>>> sufficient? >>>> >>>> >>>> >>>> Are you saying you run init/reboot/uadmin (but not halt) in the >>>> full context of the user? If so that's sufficient for initiating >>>> the discontinuity. >>>> When the system comes out of suspended animation, is kernel main() >>>> run? >>> >>> >>> Yes, the init/reboot/uadmin calls run in the full context of the user. >>> Halt is not used since it doesn't shut down SMF services cleanly. >>> >>> The kernel was suspended, so on a resume like any suspended process >>> would start running again. That's my simplified answer :), but the >>> power management group would have more details if needed. >> >> >> >> Not really. When the kernel resumes, I would presume it stats >> at the next kernel instruction following the instruction that >> caused it to go into suspended animation. I would presume it >> does not run genuinx:main() again that starts the system fresh >> in a reboot, so I ask how is the resumed from suspended animation >> audited? >> > > I agree that any process resumed should start at the next instruction. > > As for the auditing of resume, I don't know how exactly it was done. > I'll have to look up the bug and code that was integrated for this > auditing.
The auditing of suspend is handled by the uadmin.c code. It creates an audit record and the ends the auditing session before the actual suspend. Phi
