I'm sponsoring this case for Paul Roberts and the Audit Project team.
It incompatibly modifies the Evolving auditconfig(1M) and Committed
auditon(2) interfaces to reflect the present implementation.
It requests a Patch release binding and permission to remove the
non-functioning interfaces in a patch even if the replacement functionality
is not present in the same Patch.
Full diff marked man pages are in the case directory along with the
excellent One Pager written by Paul. The one pager goes into details
of how an open customer escalation is waiting to be close based on
Sun's declaration of these interfaces Obsolete. See 6185615 audit context
file statistics are no longer getting updated correctly
It is possible that the escalating customer may not require a patch be
generated, but just Sun's intent to obsolete these interfaces in Solaris.
The timer is set for 9 Jan. 2008.
Happy Holidays,
Gary..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Background:
==========
PSARC/2002/150 Secure Remote Audit Log, changed the implementation
of writing data to the audit file from I/O done within the kernel to a
userland plugin for that audit service svc:/system/auditd. This change
took place in S10.
PSARC/2002/665 Audit Interface Reclassification addressed some of
the the obsolescences that went along with this implementation change.
(VIZ., both auditsvc(2) and audit_data(4) were declared obsolete
and permitted for removal in the next minor release, i.e., S11).
Unfortunately, both cases failed to observe that the S9 and preceding
implementation had two features that were not implemented in S10.
auditconfig -setfsize <n> sets a kernel value that used to be interpreted
as a limit on the number of bytes in any audit file to <n> at which time
that file would be closed an a new file opened automatically (similar to
what an administrator can do manually with the audit(1M) -n command).
auditconfig -getfsize reports the size set by -setfsize and the number
of bytes currently written to the active audit file.
Proposal:
========
Declare auditconfig(1M) -[gs]etfsize Evolving interfaces obsolete
immediately and allow them to be remove in an upcoming patch release. There
is a slight chance that a customer may have modified the audit_startup(1M)
script[1] to include -setfsize, or might have a script or cron job that
includes -getfsize. A suitable "What's New" will call this out.
Declare the auditon(2) Committed implementation of these functions obsolete
immediately and allow them to be remove in an upcoming patch release. There
is a very remote chance that a customer may have written a program that
calls the auditon(2) implementation of these functions.
Add a new parameter, p_fsize, to audit_binfile(5), the auditd plugin that
implements writing to the local audit file, to replace the functionality
of -setfsize.
No replacement for -getfsize is proposed. The administrator can always
ls -l the *not-terminated* audit file to observe its size.
Details:
=======
auditconfig(1M):
+++++++++++++++
OPTIONS
- -getfsize
- Return the maximum audit file size in bytes and the
- current size of the audit file in bytes.
- -setfsize size
- Set the maximum size of an audit file to size bytes.
-
- When the size limit is reached, the audit file is closed
- and another is started.
-
- If perzone is not set, this option is valid only in the
- global zone.
NOTES
+ The -getfsize and -setfsize options have been removed. Use
+ audit_binfile(5) p_fsize to set the file size.
audit_binfile(5):
+++++++++++++++++
OBJECT ATTRIBUTES
+ The p_fsize attribute defines the maximum size in bytes that
+ an audit file may become before it is automatically closed
+ and a new audit file opened. This is equivalent to an
+ administrator issuing an \fCaudit -n\fP command when the
+ audit file contained the specified number of bytes.
+ The default size is zero (0) which means allow the file to grow
+ without bound. The value specified must be within the range
+ of [512,000, 2,147,483,647].
Note the range had been 524,288 [0x80000 - 0xffffffff] 4,294,967,295
but the overflow comparison was broken increment u_int cursize with
the I/O size, then compare u_int cursize >= u_int filesz
auditon(2):
+++++++++++
The following commands are supported:
- A_SETFSIZE
- Set the maximum size of an audit trail file. When the
- audit file reaches the designated size, it is closed and
- a new file started. If the maximum size is unset, the
- audit trail file generated by auditsvc() will grow to
- the size of the file system. The data argument points to
- the au_fstat_t structure containing the maximum audit
- file size in bytes. The size can not be set less than
- 0x80000 bytes.
-
- A_GETFSIZE
- Return the maximum audit file size and current file size
- in the au_fstat_t structure pointed to by the data argu-
- ment.
Notes:
=====
[1] audit_startup(1M) is a shell script delivered into /etc/security.
It has existed since the 2.3 integration of Audit. It's purpose
has varied from release to release. It is executed as part of the
start method for the audit service svc:/system/auditd and before
auditd(1M) itself is started. From S10, it sets kernel defaults
for the audit service. In a future project audit_startup is
expected to be eliminated for a proper administrative interface
of smf properties to the audit service.
