#! /usr/sbin/sh # # Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. # . /lib/svc/share/smf_include.sh AUDIT=/usr/sbin/audit AUDITCONFIG=/usr/sbin/auditconfig AUDITD=/usr/sbin/auditd NAWK=/usr/bin/nawk EGREP=/usr/bin/egrep MV=/usr/bin/mv PKILL=/usr/bin/pkill SLEEP=/usr/bin/sleep SVCADM=/usr/sbin/svcadm SVCCFG=/usr/sbin/svccfg SVCS=/usr/bin/svcs SVCPROP=/usr/bin/svcprop AUDITD_FMRI="system/auditd:default" # # main - the execution starts there. main() { # # Do the basic argument inspection and take the appropriate action. case "$SMF_METHOD" in start) do_common exec $AUDITD ;; refresh) do_common do_refresh ;; *) if [ -z "$SMF_METHOD" ]; then echo "$0: No SMF method defined." else echo "$0: Unsupported SMF method: $SMF_METHOD." fi exit $SMF_EXIT_ERR_NOSMF ;; esac } # # do_common - executes all the code common to all supported service methods. do_common() { # # Local auditing: if the c2audit module is excluded in system(4) in GZ # auditconfig(1M) returns "disabled" state; if c2audit is loaded # "noaudit" is returned and "auditing" only after auditd(1M) starts. LAUDITCOND="$($AUDITCONFIG -getcond 2>/dev/null | $NAWK '{print $NF}')" RAUDITCOND="$($AUDITCONFIG -getremote 2>/dev/null | $NAWK ' BEGIN { FS = "[()]" } /^Audit/ { ars = $2 } /^Connection/ { if ($2 == "active") { cgrp = $2 exit } } END { if (ars == "" && cgrp != "") { print "active" exit } print "inactive" }')" if [ $RAUDITCOND = "inactive" -a $LAUDITCOND = "disabled" ]; then echo "$0: At least c2audit kernel module must be" \ "available or audit remote server must be active." $SVCADM mark maintenance $AUDITD_FMRI exit $SMF_EXIT_MON_OFFLINE fi # # In a non-global zone, auditd is started/refreshed only if the # "perzone" audit policy has been set or the audit remote server # is active. smf_is_nonglobalzone && if [ $LAUDITCOND != "disabled" ]; then $AUDITCONFIG -t -getpolicy | \ $EGREP "perzone|all" 1>/dev/null 2>&1 if [ $? -eq 1 ]; then echo "$0: auditd(1M) local auditing is not configured" \ "to run in a local zone, perzone policy not set" \ "(see auditconfig(1M))." if [ $RAUDITCOND != "active" ]; then $SVCADM disable $AUDITD_FMRI $SLEEP 5 & exit $SMF_EXIT_OK fi fi fi # # Validate the audit service configuration val_err="$($AUDIT -v 2>&1)" if [ $? -ne 0 ]; then echo "$0: audit service misconfiguration detected (${val_err})" $SVCADM mark maintenance $AUDITD_FMRI exit $SMF_EXIT_MON_OFFLINE fi } # # do_refresh - service refresh method helper. do_refresh() { # # Find the contract_id. contract_id=$($SVCPROP -p restarter/contract $AUDITD_FMRI) if [ -z "${contract_id}" ]; then echo "$0: Service $AUDITD_FMRI has no associated" \ "contract. Service cannot be refreshed." exit $SMF_EXIT_ERR_FATAL fi # # Signal auditd(1M). $PKILL -HUP -c ${contract_id} if [ $? -ne 0 ]; then echo "$0: SIGHUP was not successfully delivered to" \ "the related contract (${contract_id}/err:$?)." $SVCADM mark maintenance $AUDITD_FMRI exit $SMF_EXIT_ERR_FATAL fi $SLEEP 5 & } # # Call main() to start the own script execution. main