Written by J. Moellenkamp
on June 11, 2017
Reading time: 2 minutes

Auditing a single SMF service - revisted

A few days ago, i wrote an article about how you can set auditflags for processes by smf services. The scripts were really just proof-of-concept one and using them involved a lot of copy and pasting. Well … i had some spare time on saturday and wrote an even worse hack. The problem is still the same as in the older blog entry Simply said … processes of smf services have no auditflags set and thus they aren’t audited and so nothing will appear in the logs of them.

This script has the following features/weirdnesses:

This SMF services can set the auditflags for several SMF. With the old script you needed an SMF service you wanted to audit
You can set default auditflags (currently you must) or you can define auditflags per service
You activate the default set of auditflags for the service just by defining an dependency
Currently whenever the service is restarted because of a dependencies, the auditflags are set for all processes on all services on which this service is dependend. You will see it later in logs

Configuration

At fist you need a SMF manifest. This is pretty much just the output of svcbundle for a transient service. You can download it here

Then you need the method script. It’s available here.

Please keep in mind: Do whatever you want with the scripts, they are nothing special, but don’t ask me (or my employer) for support and bug fixing. And i don’t guarantee it works, i don’t guarantee it doesn’t have gaping security holes, i don’t guarantee it won’t break your system and i can’t guarantee that no animals were harmed because to be exact, one animal was harmed … a housefly.

In order to use the manifest, copy it to the correct location. The command obviously assumes you have downloaded your files to your home directory.

cp ~/smf_service_auditing.xml /lib/svc/manifest/site/smf_service_auditing.xml

Afterwards execute:

svcadm restart manifest-import

In oder to use the method script, please copy it to to the method directory

cp ~/smf_service_auditing /lib/svc/method/smf_service_auditing
chmod +x /lib/svc/method/smf_service_auditing

Okay, now we have to configure it. At first we set the default audit flags. Those defaults are only set on services to which the svc:/site/smf_service_audit:default is dependent to.

svccfg -s svc:/site/smf_service_audit:default addpg auditconfig application
svccfg -s svc:/site/smf_service_audit:default setprop auditconfig/defaultflags= astring: "lo,ex"

Now I want to show you how to define non-default auditflags for a single service:

svccfg -s svc:/site/smf_service_audit:default addpg audited_service_hal application
svccfg -s svc:/site/smf_service_audit:default setprop audited_service_hal/fmri= astring: "svc:/system/hal:default"
svccfg -s svc:/site/smf_service_audit:default setprop audited_service_hal/auditflags= astring: "ex"

The FMRI in audited_service_*/fmri= astring must be same you use later in the dependencies. In order to be recognized those property groups defining the per-service audit flags must begin with audited_service. It doesn’t matter what’s after it.

Now you have to make the svc:/site/smf_service_audit:default dependent to the services you want the auditflags to be set. Only dependencies beginning with smfserviceauditing are considered in the script. It doesn’t matter whats after it. In my example i want to set auditflags for the services svc:/system/hal:default and svc:/network/smtp:sendmail.

At first we set the nescessary parameters for svc:/network/smtp:sendmail

svccfg -s svc:/site/smf_service_audit:default addpg smfserviceauditing_sendmail_dependency dependency
svccfg -s svc:/site/smf_service_audit:default setprop smfserviceauditing_sendmail_dependency/entities= fmri: svc:/network/smtp:sendmail
svccfg -s svc:/site/smf_service_audit:default setprop smfserviceauditing_sendmail_dependency/grouping= astring: optional_all
svccfg -s svc:/site/smf_service_audit:default setprop smfserviceauditing_sendmail_dependency/restart_on= astring: refresh
svccfg -s svc:/site/smf_service_audit:default setprop smfserviceauditing_sendmail_dependency/type= astring: service

Now we set the nescessary parameters for svc:/system/hal:default>

svccfg -s svc:/site/smf_service_audit:default addpg smfserviceauditing_hal_dependency dependency
svccfg -s svc:/site/smf_service_audit:default setprop smfserviceauditing_hal_dependency/entities= fmri: svc:/system/hal:default
svccfg -s svc:/site/smf_service_audit:default setprop smfserviceauditing_hal_dependency/grouping= astring: optional_all
svccfg -s svc:/site/smf_service_audit:default setprop smfserviceauditing_hal_dependency/restart_on= astring: refresh
svccfg -s svc:/site/smf_service_audit:default setprop smfserviceauditing_hal_dependency/type= astring: service

Okay, in order to activate all the changes and enable the service we have to execute the following command.

svcadm refresh svc:/site/smf_service_audit:default
svcadm enable svc:/site/smf_service_audit:default

Operation

After wards the scripts should do their job. A svcadm enable svc:/site/smf_service_audit; sleep 10; svcs -Lv svc:/site/smf_service_audit should yield a result like this one:

[ Jun  8 23:52:38 Enabled. ]
[ Jun  8 23:52:38 Executing start method ("/lib/svc/method/smf_service_auditing start"). ]
LOG   -> observing service svc:/site/smf_service_audit:default
LOG   -> Service svc:/network/smtp:sendmail
LOG   -> Contractid 2105
LOG   -> Process : 17324 Flags: lo,ex
LOG   -> Service svc:/system/hal:default
LOG   -> Contractid 2125
LOG   -> Process : 17468 Flags: ex
LOG   -> Process : 17467 Flags: ex
LOG   -> Process : 17464 Flags: ex
LOG   -> Process : 17465 Flags: ex
LOG   -> Process : 17471 Flags: ex
[ Jun  8 23:52:38 Method "start" exited with status 0. ]

When you restart a service you want to have audited, you should see somethin like this. I’ve produced this result by svcadm restart svc:/system/hal:default; sleep 10; svcs -Lv svc:/site/smf_service_audit.

[ Jun  8 23:53:56 Stopping because dependency activity requires stop. ]
[ Jun  8 23:53:56 Executing stop method (:true). ]
[ Jun  8 23:53:56 Executing start method ("/lib/svc/method/smf_service_auditing start"). ]
LOG   -> observing service svc:/site/smf_service_audit:default
LOG   -> Service svc:/network/smtp:sendmail
LOG   -> Contractid 2105
LOG   -> Process : 17324 Flags: lo,ex
LOG   -> Service svc:/system/hal:default
LOG   -> Contractid 2132
LOG   -> Process : 17520 Flags: ex
LOG   -> Process : 17521 Flags: ex
LOG   -> Process : 17523 Flags: ex
LOG   -> Process : 17527 Flags: ex
LOG   -> Process : 17524 Flags: ex
[ Jun  8 23:53:57 Method "start" exited with status 0. ]

Now we can check the respective preselection masks of the processes:

# auditconfig -getpinfo 17520
audit id = unknown(-2)
process preselection mask = ex(0x80000000,0x80000000)
terminal id (maj,min,host) = 0,0,unknown(::)
audit session id = 0
root@solaris:/rpool# auditconfig -getpinfo 17324 
audit id = unknown(-2)
process preselection mask = ex,lo(0x80001000,0x80001000)
terminal id (maj,min,host) = 0,0,unknown(::)
audit session id = 0

← → Top