A few days ago, i wrote an article about how you can set auditflags for processes by smf services. The scripts were really just proof-of-concept one and using them involved a lot of copy and pasting. Well … i had some spare time on saturday and wrote an even worse hack. The problem is still the same as in the older blog entry Simply said … processes of smf services have no auditflags set and thus they aren’t audited and so nothing will appear in the logs of them.
This script has the following features/weirdnesses:
This SMF services can set the auditflags for several SMF. With the old script you needed an SMF service you wanted to audit
You can set default auditflags (currently you must) or you can define auditflags per service
You activate the default set of auditflags for the service just by defining an dependency
Currently whenever the service is restarted because of a dependencies, the auditflags are set for all processes on all services on which this service is dependend. You will see it later in logs
At fist you need a SMF manifest. This is pretty much just the output of svcbundle for a transient service. You can download it here
Then you need the method script. It’s available here.
Please keep in mind: Do whatever you want with the scripts, they are nothing special, but don’t ask me (or my employer) for support and bug fixing. And i don’t guarantee it works, i don’t guarantee it doesn’t have gaping security holes, i don’t guarantee it won’t break your system and i can’t guarantee that no animals were harmed because to be exact, one animal was harmed … a housefly.
In order to use the manifest, copy it to the correct location. The command obviously assumes you have downloaded your files to your home directory.
In oder to use the method script, please copy it to to the method directory
Okay, now we have to configure it. At first we set the default audit flags. Those defaults are only set on services to which the svc:/site/smf_service_audit:default is dependent to.
Now I want to show you how to define non-default auditflags for a single service:
The FMRI in audited_service_*/fmri= astring must be same you use later in the dependencies. In order to be recognized those property groups defining the per-service audit flags must begin with audited_service. It doesn’t matter what’s after it.
Now you have to make the svc:/site/smf_service_audit:default dependent to the services you want the auditflags to be set. Only dependencies beginning with smfserviceauditing are considered in the script. It doesn’t matter whats after it. In my example i want to set auditflags for the services svc:/system/hal:default and svc:/network/smtp:sendmail.
At first we set the nescessary parameters for svc:/network/smtp:sendmail
Now we set the nescessary parameters for svc:/system/hal:default>
Okay, in order to activate all the changes and enable the service we have to execute the following command.
After wards the scripts should do their job. A svcadm enable svc:/site/smf_service_audit; sleep 10; svcs -Lv svc:/site/smf_service_audit should yield a result like this one:
When you restart a service you want to have audited, you should see somethin like this. I’ve produced this result by svcadm restart svc:/system/hal:default; sleep 10; svcs -Lv svc:/site/smf_service_audit.
Now we can check the respective preselection masks of the processes: