Gary, Gary Winiger wrote: > Glenn, > >>> What kind of debugging options are available to determine what >>> commands may be needed by SMF to start a service? For example, >>> if I want to take away the "Basic Solaris User" rights profile >>> from the default and add only those commands that I need, how >>> can I determine what SMF needs (beyond what the actual service >>> being started needs)? The SMF service log was not really helpful >>> in this case. > > I'm not sure what your question is? Are you saying that > removing Basic Solaris User from policy.conf means that > some SMF services have difficulty? Or is there something > else here? Recall that manifests can specify authorizations > needed for certain operations. I believe the default in > Basic Solaris User there are a bunch of authorizations. > Perhaps some of them apply to the services, but none seem > to be smf specific.
In a nutshell, this is what I had wanted to do: 1. Remove Basic Solaris User from /etc/security/policy.conf 2. Configure Apache2 to use an RBAC profile for execution Thereby, I was hoping to force Apache2 to only use those commands that I specified could be run. Since I am required to give the Apache2 service - proc_fork/proc_exec (the latter because it calls a shell script which starts the real service), then I wanted to be able to more tightly control what it could exec(2). So, when I do this, the server goes into maintenance mode. I am basically trying to figure out why. Looking over this a bit more, I am not sure if this is possible giving the current implementation in nv72. Can someone confirm? >>> Also, is there a way to set an audit context for a SMF-managed >>> service? > > To expand on what Tom said: We could add audit flags to the > method_context. Or some other property group. I'm not sure > that would be of general use. Services should not generally > be audited. Services in general should audit in the requestor > context, if at all. Why do you think that this would not be of general use? Would it not be good to track what files your Apache2 (in this case) service is accessing/modifying/deleting and whether it is reaching "out of bounds"? I would think that events such the family of execs and file access events would be of great interest to a lot of people and by enabling a way to specify them through SMF - now you have an easy and repeatable way to ensure auditing is enabled for your (and your third party) applications. > Today one could configure any audit necessary in the method > using auditconfig -setpmask Yes, but I have to run that manually which is not really in the spirit of SMF. What if a service was restarted? Would it retain its audit mask? g
