I'm sponsoring this case for Jan Friedel and the Solaris Audit project team.
It is the second phase of converting the audit service configuration to
SMF. The first phase was PSARC/2009/022 audit_startup(1m) EOL and removal.
PSARC/2008/787 Obsolete of some Solaris Audit commands and PSARC/2009/636
Obsolete getacinfo(3bsm) announced Obsolescence (EOF) of a number Solaris
Audit interfaces in the next Patch release.
When the audit service, auditd(1m), was created (6232332 auditd should run
under SMF) as part of the conversion from /etc/rc scripts to SMF
(PSARC/2002/547 Greenline) the configuration information in audit_startup(1m)
and audit_control(4) were not converted. This case proposes to provide the
configuration information contained in audit_control in audit service private
properties and to remove audit_control(4) in a Minor release.
Copies of the Obsolete audit_control(4) and getacinfo(3bsm) man pages, a
diff marked auditconfig(1m) man page and the new proposed audit_flags(5)
man page, as well as the delivered audit_control file are in the case
directory.
The interface taxonomy of auditconfig(1m) is unchange (Committed).
For reference purposes a "references" subdirectory is provided with other
related man pages and a prototype audit service manifest.
The timer is set for 19 Jan 2010.
Gary..
+++++++++++++++++++++++++++++++++
Background:
==========
audit_control(4) is a file that contains configuration of the default
audit classes (flags: and naflags: keywords) [see audit_flags(5) and
audit_class(4)] and audit trail destinations (plugin: keyword) [the dir:
and minfree: keywords were effectively EOLed but not removed by PSARC/2002/150
Secure Remote Audit Log -- "Secure" a misnomer here]. An administrator can
configure these by editing the audit_control file.
Proposal:
========
Project Private properties are added to auditd(1m).
1) Remove the Obsolete Committed audit_control(4) file from the system.
2) As the audit_control(4) file was not world readable,
add Project Private read protected SMF property groups (PSARC/2007/177
SMF Read-Protected Property Storage) to contain the persistent
values for the default audit flags and audit trail destinations.
3) Remove the Obsolete Committed getacinfo(3bsm) APIs from the system.
These interfaces are used to access fields in the audit_control file.
4) Add project private properties to the audit service to contain
the information in the removed audit_control file.
5) Add auditconfig(1m) subcommands -getflags, -getnaflags, -getplugin,
-setflags, -setnaflags, -setplugin to display and set the default
audit classes and audit trail destinations.
6) Modify auditd(1m) to initialize the default audit classes and audit
trail destinations from audit service properties.
7) Deliver the service manifest with slightly different default
configuration from what audit_control contained (flags lo, naflags lo,
plugin audit_binfile(5) active). audit_control flags were empty and
naflags were lo, which would audit for failed events of the "login"
class, but not for successful ones. The change is to audit both
successful and failed logins when auditing is enabled. audit_binfile
default is unchanged.
8) Update au_user_mask(3bsm) to use default audit classes configured in
the audit service.
auditconfig(1m):
NAME
auditconfig - configure auditing
SYNOPSIS
auditconfig subcommand ...
SUBCOMMANDS
+ -getflags
+ Display the default audit preselection flags.
+ -getnaflags
+ Display the non-attributable audit mask.
+ -getplugin [name]
+ Display information about the plugin name. If name is not
+ specified, display all plugins.
+ -setflags audit_flags
+ Set the default audit classes, see audit_flags(5). The default
+ audit classes are combined with the user's specific audit
+ flags to form the user's process audit preselection mask.
+ -setnaflags audit_flags
+ Set the non-attributable audit classes, see audit_flags(5).
+ Non-attributable audit classes define what classes of events
+ are to be audited when the action cannot be attributed to
+ an authenticated user. Failed login is an example of an
+ event that is non-attributable.
+ -setplugin name active | inactive [ attributes [ qsize]]
+ Configure the plugin name to be "active" or "inactive".
+ Optionally configure the attributes and number of
+ unprocessed audit records to queue for the plugin.
+ See the audit plugin man pages and auditd(1m).
NOTES
+ The change to plugins (-setplugin) settings do not take effect
+ (such as becoming active or inactive, changing the active attribute
+ or queue size values) until the audit service is refreshed. Use
+ audit(1M) to refresh the audit service.
Notes:
======
1) Activation of updates (except for flags:) to the current
audit_control(4) required refreshing the audit service.
2) The removed audit_control(4) man page contained the primary
description of the syntax for specifying user audit flags.
audit_flags(5) is proposed to provide that information.
3) New audit service plugins may be added within the Solaris
distribution by distributing an updated service manifest.
3rd party audit service plugins may be added by using svccfg(1m)
to add the appropriate property group information.
4) Activation of both flags (-setflags) and naflags (-setnaflags)
requires no additional steps. Activation of plugins (-setplugin
<name> active) still requires refreshing the audit service.
See 1) above.
Issues:
=======
1) Many man pages refer to audit_control(4). The project team plans
to use this as an opportunity to refresh and align these man pages.
The updates are not documented as part of this case.
2) audit_control(4) will not be automatically converted. The currently
understood conversion for Solaris 10 to Solaris next is a fresh
install. "What's New" documentation will be provided:
If you have modified the audit_control(4) file, you will
need to use auditconfig(1M) to configure the audit service
with your modifications.
o use auditconfig -getflags, -getnaflags, -getplugin
to display the current configuration
o use auditconfig -setflags <the value of the audit_control(4)
flags:>
o use auditconfig -setnaflags <the value of the audit_control(4)
naflags:>
o for any audit_control(4) plugin: configured, use
auditconfig -setplugin to activate and configure the same
attributes (p_* values), and qsize
o if the audit_control(4) obsolete dir: and/or minfree: are
configured, use
auditconfig -setplugin binfile active "p_dir=<dir: value>;
p_minfree=<minfree: value>"
3) The policy for read protected properties states that values should
not be delivered in the manifest.
The project team believes that compatibility with the existing
default which is openly documented in the Solaris Auditing section
of the System Administration Guide section of the Solaris Security
Services document is sufficient motivation for delivering audit_binfile
configured and active.
http://docs.sun.com/app/docs/doc/816-4557/auditref-12?l=en&a=view&q=audit_control
