I'm sponsoring this fast track for Jan Friedel and the Solaris Audit Project
team. PSARC/2008/787 Obsolete of some Solaris Audit commands
announced Obsolescence (EOF) of a number Solaris Audit interfaces
in the next Patch release -- paperwork is underway.
When svc:/system/auditd was created (6232332 auditd should run under SMF)
as part of the conversion from /etc/rc scripts to SMF (PSARC/2002/547 Greenline)
the configuration information in audit_startup(1m) and audit_control(4)
were not converted. This case proposes to provide the configuration
information contained in audit_startup in svc:/system/auditd private
properties and to remove audit_startup(1m) in a Minor release.
The interface taxonomy of auditconfig(1m) is unchange (Committed).
The Obsolete Committed audit_startup(1m) is removed.
Project Private properties are added to svc:/system/auditd.
Copies of the audit_startup(1m) man page, a diff marked auditconfig(1m)
man page, as well as the delivered audit_startup script are in the case
directory.
The timer is set for 21 Jan 2009.
Background:
==========
audit_startup(1m) is a shell script that contains auditconfig(1m) commands
used to initialize kernel values for the Solaris Audit subsystem.
It is run as part of the start method of svc:/system/auditd.
An administrator can configure the Audit Policy by editing the audit_startup
file and adding auditconfig commands to the file. While other changes could
be made to this file, the only valid commands are -setpolicy, -setqbufsz,
-setqdelay, -setqhiwater, -setqlowater. The other auditconfig commands
report on kernel state or modify running processes and are intended for
administrators to run interactively from the Audit Control Rights Profile.
Proposal:
========
1) Remove the audit_startup(1m) script from the system.
2) As the audit_startup(1m) script was not world readable,
add Project Private read protected SMF property groups (PSARC/2007/177
SMF Read-Protected Property Storage) to contain the persistent
values for the audit policy and buffer parameters (-setpolicy,
-setqbufsz, -setqdelay, -setqhiwater, -setqlowater).
3) Modify auditconfig(1m) -setpolicy, -setqbufsz, -setqctrl, -setqdelay,
-setqhiwater, -setqlowater to not only set the persistent property
values, but also the running system values.
(If audit is not loaded in the kernel - as would be the case
before a reboot after bsmconv(1m) is run, only set the persistent
properties.)
4) Add a -t option to the auditconfig -setpolicy, -setqbufsz, setqctrl,
-setqdelay, -setqhiwater, -setqlowater commands to temporarily
(i.e., only modify the running system) set these values.
5) Modify auditconfig(1m) -getpolicy, -getqbufsz, -getqctrl, -getqdelay,
-getqhiwater, -getqlowater to not only get the persistent property
values, but also the running system values.
(If audit is not loaded in the kernel - as would be the case
before a reboot after bsmconv(1m) is run, only get the persistent
properties.)
6) Add a -t option to the auditconfig -getpolicy, -getqbufsz, getqctrl,
-getqdelay, -getqhiwater, -getqlowater commands to temporarily
(i.e., only report the running system) get these values.
7) Modify auditd(1m) to initialize the the audit policy and buffer
parameters based on the svc:/system/auditd properties.
And to initialize the kernels event to class mappings (-aconf,
-conf).
8) Modify the Audit Control Rights Profile appropriately to allow
persistent property setting.
9) Deliver the "cnt" policy enabled in the service manifest.
This matches the default audit_startup script.
No other audit policy or buffer parameters are changed from
the compiled in default.
Notes:
======
1) Persistent auditconfig -setclass is done by modifying audit_event(4).
2) Persistent auditconfig -setkaudit is done by hostname lookup
and set by auditd(1m) on startup. This subcommand was created
for test and debugging quite a while ago and probably should not
have been documented.
3) Persistent auditconfig -setkmask is done by modifying
audit_control(4):naflags -- to be converted to SMF properties in a
separate project.
4) The remaining auditconfig -set commands do not deal with state
that is persistent.
Issues:
=======
1) The other obsoleted audit configuration file, audit_control(4), is
not part of this project. The plan is to also remove it before the
next "Minor" release.
It is not part of this project for resource considerations. The
ITeam has essentially completed this work and needs to be redirected
to other immediate tasks.
Mitigating this is that the two configuration files are independent
of each other, thus this project is complete even without the
removal of audit_control.
2) Doing the project in two phases means that in the interim, if
someone runs the development system and has modified the default
audit configuration, they may have two transitions to make. One
for the removal of audit_startup and one for the removal of
audit_control.
3) The policy for read protected properties states that values should
not be delivered in the manifest.
The project team believes that compatibility with the existing
default which is openly documented in the Solaris Auditing section
of the System Administration Guide section of the Solaris Security
Services document is sufficient motivation for delivering the "cnt"
audit policy enabled in the service manifest.
http://docs.sun.com/app/docs/doc/816-4557/audittask-18?l=en&q=audit+policy&a=view
