With the integration of 6875456, Solaris Audit configuration in
SMF - phase 2 (PSARC/2009/636, PSARC/2009/642) incremental
builds will get a packaging error similar to:
---
Entries present in proto area but not manifests:
file etc/security/audit_control group=group mode=0644 owner=owner
path=etc/security/audit_control
file usr/lib/help/auths/locale/AuditConfig.html group=group mode=0444
owner=owner path=usr/lib/help/auths/locale/AuditConfig.html
file usr/lib/help/auths/locale/AuditRead.html group=group mode=0444
owner=owner path=usr/lib/help/auths/locale/AuditRead.html
file usr/lib/help/auths/locale/C/AuditConfig.html group=group mode=0444
owner=owner path=usr/lib/help/auths/locale/C/AuditConfig.html
file usr/lib/help/auths/locale/C/AuditRead.html group=group mode=0444
owner=owner path=usr/lib/help/auths/locale/C/AuditRead.html
---
You can remove the concerned files from your proto area
$CODEMGR_WS/proto/root_{i386,sparc}/<concerned_file>
or do a clobber build.
If you are not using or not planning to use Solaris Auditing,
you may skip the remainder of this message.
If you are running Solaris Auditing this putback moves the
audit configuration historically maintained in audit_control(4)
into SMF and removes the audit_control(4) file. Existing
audit_control(4) configurations will have to be migrated using
the new command line options to auditconfig(1M) which are part
of this putback such as '-setflags', '-setnaflags', and
'-setplugin'. The auditconfig(1M) man page changes associated
with this putback can be seen here:
http://sac.sfbay.sun.com/PSARC/2009/642/auditconfig.1m
With these changes in place auditconfig(1M) is now the only
committed interface for Solaris Audit configuration.
The Solaris Auditing I-team have developed a helper script
which translates an existing audit_control(4) file into an
equivalent sequence of auditconfig(1M) commands. Note that the
script has undergone limited testing and its output should be
reviewed prior to running the auditconfig(1M) commands. The
script is attached to CR 6875456 or can be directly downloaded
here:
http://monaco.sfbay.sun.com/download/net/swsblss1.central.sun.com/attach/bugtraq/cr/6/6/6875456/trans_control.sh.zip
The script takes an existing audit_control(4) file and
generates the corresponding auditconfig(1M) commands to
replicate the configuration. Since this putback removes the
audit_control file you'll need to mount the previous boot
environment (BE - see beadm(1M)) and reference the
/etc/security/audit_control file there.
If you currently administer Solaris Auditing using RBAC Rights
Profiles or plan to in the future note that this putback
creates a new rights profile called 'Audit Configuration' and
reorganizes the two existing rights profiles 'Audit Control'
and 'Audit Review'. If you update to a build or bits which
don't contain the fix for:
6964157 rbac profiles are not correctly processed during
package upgrade
http://monaco.sfbay/detail.jsf?cr=6964157
then you'll need to make a few simple changes to
/etc/security/{exec_attr,prof_attr}.
The changes required to /etc/security/exec_attr are to remove
the existing entries which begin with 'Audit' and then add the
following five lines:
Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit
Audit Control:solaris:cmd:::/usr/sbin/audit:privs=proc_owner,sys_audit
Audit Review:solaris:cmd:::/usr/sbin/auditreduce:euid=0
Audit Review:solaris:cmd:::/usr/sbin/auditstat:privs=proc_audit
Audit Review:solaris:cmd:::/usr/sbin/praudit:privs=file_dac_read
The changes to /etc/security/prof_attr are to remove the
existing entries which begin with 'Audit' and then add the following
three lines:
Audit Configuration:::Configure Solaris
Audit:auths=solaris.smf.value.audit;help=RtAuditCfg.html
Audit Control:::Control Solaris
Audit:auths=solaris.smf.manage.audit;help=RtAuditCtrl.html
Audit Review:::Review Solaris Auditing logs:help=RtAuditReview.html
Any bugs relating to these changes can be filed under
solaris/audit with the most appropriate subcategory.
For any questions, please send email to jan.frie...@sun.com and
in copy to audit-c...@sun.com. Thanks.
_______________________________________________
on-discuss mailing list
on-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/on-discuss
