Written by J. Moellenkamp on
Reading time: 3 minutes
Auditing a single SMF service
Sometimes there is a need to activate auditing for a single SMF service. The problem: There is no simple setting like “do_audit” or so for a service. But you could do this by using SMF itself.
In this article i assume some knowledge about the auditing subsystem, so you know the audit events that are logged for a processes are controlled by the process preselection mask. For example the bash on my system is auditing all exec calls (normal and with pfexec set) and events of the class lo:
Okay, at first we need a script to set the audit flags for the processes of a service. Just a warning: All the scripts and manifests are just quick and dirty “proof of concept”-scripts. They may break immediately. They may do harm. There may be a security hole as gapping as a large barn door. And don’t ask me for support. But they should give you an idea what you have to do.
At first we need to find out what processes need a new preselection mask. I hacked something along the lines of this: Essentially it looks for the contract id of a service and then finds all processes of the contract. Afterwards it iterates through the process ids by the use of xargs and sets the new pmask to ex. I will post something that is significantly more elegant than this soon (as this script is elegant as a brick). But i need this article fast … well … out of reasons. I have decided to use the hal service in this example for no reason besides the fact that it has multiple processes. I put this file in /lib/svc/method and made it executable afterwards. The service i want to audit is defined in the variable service. In this example it’s set to svc:/system/hal:default:
We talk about SMF. So we need a SMF manifest next. I created the skeleton of it for Solaris 11.3 with svcbundle and customized it. In principle it should work for Solaris 10 as well. I put this file into the homedirectory of root and named the file customauditsetterhal.xml.
The important part is the red one. I manually added it to the auto generated manifest. It defines a dependency to the service which should be audited. So after the service we want to audit is started, this service will start and set the process preselection mask. With the restart_on we further configured that this service should restart and set the mask even if the service is just refreshed as well when it’s restarted or disabled/enabled.
Okay. Now we have to do the necessary steps to use it:
Before we enable the service, let us check the current state of the preselection mask:
Now we will enable the new service:
Next step is to check the state of the new service
The dependencies are according to our configuration. The new service is dependant on svc:/milestone/multi-user:default and svc:/system/hal:default.
And now we can look if the service did its job:
Okay, let’s restart the service.
It will automatically execute the commands to set the new process preselection mask as indicated by the logfile of the SMF service to the new processes created by the restart
After a reboot the command will be executed as well:
Okay, of course a simple property would be nicer but with SMF dependencies you can work around this.