xref: /illumos-gate/usr/src/cmd/auditd/auditd.xml (revision d583b39bfb4e2571d3e41097c5c357ffe353ad45) 
1<?xml version="1.0"?>
2<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
3<!--
4 Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
5
6 CDDL HEADER START
7
8 The contents of this file are subject to the terms of the
9 Common Development and Distribution License (the "License").
10 You may not use this file except in compliance with the License.
11
12 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
13 or http://www.opensolaris.org/os/licensing.
14 See the License for the specific language governing permissions
15 and limitations under the License.
16
17 When distributing Covered Code, include this CDDL HEADER in each
18 file and include the License file at usr/src/OPENSOLARIS.LICENSE.
19 If applicable, add the following below this CDDL HEADER, with the
20 fields enclosed by brackets "[]" replaced with your own identifying
21 information: Portions Copyright [yyyy] [name of copyright owner]
22
23 CDDL HEADER END
24
25    NOTE:  This service manifest is not editable; its contents will
26    be overwritten by package or patch operations, including
27    operating system upgrade.  Make customizations in a different
28    file.
29-->
30
31<service_bundle type='manifest' name='SUNWcsr:auditd'>
32
33<service
34	name='system/auditd'
35	type='service'
36	version='1'>
37
38	<single_instance />
39
40	<dependency
41		name='usr'
42		type='service'
43		grouping='require_all'
44		restart_on='none'>
45		<service_fmri value='svc:/system/filesystem/local' />
46	</dependency>
47
48	<dependency
49		name='ns'
50		type='service'
51		grouping='require_all'
52		restart_on='none'>
53		<service_fmri value='svc:/milestone/name-services' />
54	</dependency>
55
56	<dependency
57		name='syslog'
58		type='service'
59		grouping='optional_all'
60		restart_on='none'>
61		<service_fmri value='svc:/system/system-log' />
62	</dependency>
63
64
65	<dependent
66		name='multi-user'
67		grouping='optional_all'
68		restart_on='none'>
69		<service_fmri value='svc:/milestone/multi-user'/>
70	</dependent>
71
72	<dependent
73		name='console-login'
74		grouping='optional_all'
75		restart_on='none'>
76		<service_fmri value='svc:/system/console-login'/>
77	</dependent>
78
79	<exec_method
80		type='method'
81		name='start'
82		exec='/lib/svc/method/svc-auditd'
83		timeout_seconds='60'>
84		<method_context>
85			<method_credential user='root' group='root' />
86		</method_context>
87	</exec_method>
88
89	<exec_method
90		type='method'
91		name='refresh'
92		exec='/lib/svc/method/svc-auditd'
93		timeout_seconds='30'>
94		<method_context>
95			<method_credential user='root' group='root' />
96		</method_context>
97	</exec_method>
98
99	<!--
100	  auditd waits for c2audit to quiet down after catching a -TERM
101	  before exiting; auditd's timeout is 20 seconds
102	-->
103
104	<exec_method
105		type='method'
106		name='stop'
107		exec=':kill -TERM'
108		timeout_seconds='30'>
109		<method_context>
110			<method_credential user='root' group='root' />
111		</method_context>
112	</exec_method>
113
114	<!-- SIGs HUP, TERM, and USR1 are all expected by auditd -->
115	<property_group name='startd' type='framework'>
116		<propval name='ignore_error' type='astring'
117			value='core,signal' />
118	</property_group>
119
120	<property_group name='general' type='framework'>
121		<!-- to start/stop auditd -->
122		<propval name='action_authorization' type='astring'
123			value='solaris.smf.manage.audit' />
124		<propval name='value_authorization' type='astring'
125			value='solaris.smf.manage.audit' />
126	</property_group>
127
128	<instance name='default' enabled='false'>
129
130	<!--
131	  System-wide audit preselection flags - see auditconfig(1M)
132	  and audit_flags(5).
133
134	  The 'flags' property is the system-wide default set of
135	  audit classes that is combined with the per-user audit
136	  flags to configure the process audit at login and role
137	  assumption time.
138
139	  The 'naflags' property is the set of audit classes for
140	  audit event selection when an event cannot be attributed
141	  to an authenticated user.
142	-->
143	<property_group name='preselection' type='application'>
144		<propval name='flags' type='astring'
145			value='lo' />
146		<propval name='naflags' type='astring'
147			value='lo' />
148		<propval name='read_authorization' type='astring'
149			value='solaris.smf.value.audit' />
150		<propval name='value_authorization' type='astring'
151			value='solaris.smf.value.audit' />
152	</property_group>
153
154	<!--
155	  Audit Queue Control Properties - see auditconfig(1M)
156
157	    Note, that the default value for all the queue control
158	    configuration parameters is 0, which makes auditd(1M) to
159	    use current active system parameters.
160	-->
161	<property_group name='queuectrl' type='application' >
162		<propval name='qbufsz' type='count'
163			value='0' />
164		<propval name='qdelay' type='count'
165			value='0' />
166		<propval name='qhiwater' type='count'
167			value='0' />
168		<propval name='qlowater' type='count'
169			value='0' />
170		<propval name='read_authorization' type='astring'
171			value='solaris.smf.value.audit' />
172		<propval name='value_authorization' type='astring'
173			value='solaris.smf.value.audit' />
174	</property_group>
175
176	<!--
177	  Audit Policies - see auditconfig(1M)
178
179	    Note, that "all" and "none" policies available as a
180	    auditconfig(1M) policy flags actually means a full/empty set
181	    of other policy flags. Thus they are not configurable in the
182	    auditd service manifest, but set all the policies to true
183	    (all) or false (none).
184	-->
185	<property_group name='policy' type='application' >
186		<propval name='ahlt' type='boolean'
187			value='false' />
188		<propval name='arge' type='boolean'
189			value='false' />
190		<propval name='argv' type='boolean'
191			value='false' />
192		<propval name='cnt' type='boolean'
193			value='true' />
194		<propval name='group' type='boolean'
195			value='false' />
196		<propval name='path' type='boolean'
197			value='false' />
198		<propval name='perzone' type='boolean'
199			value='false' />
200		<propval name='public' type='boolean'
201			value='false' />
202		<propval name='seq' type='boolean'
203			value='false' />
204		<propval name='trail' type='boolean'
205			value='false' />
206		<propval name='windata_down' type='boolean'
207			value='false' />
208		<propval name='windata_up' type='boolean'
209			value='false' />
210		<propval name='zonename' type='boolean'
211			value='false' />
212		<propval name='read_authorization' type='astring'
213			value='solaris.smf.value.audit' />
214		<propval name='value_authorization' type='astring'
215			value='solaris.smf.value.audit' />
216	</property_group>
217
218	<!--
219	  Plugins to configure where to send the audit trail - see
220	  auditconfig(1M), audit_binfile(5), audit_remote(5),
221	  audit_syslog(5)
222
223	  Each plugin type property group has properties:
224
225	  'active' is a boolean which defines whether or not
226	    to load the plugin.
227
228	  'path' is a string which defines name of the
229	    plugin's shared object in the file system.
230	    Relative paths assume a prefix of
231	    "/usr/lib/security/$ISA"
232
233	  'qsize' is an integer which defines a plugin specific
234	    maximum number of records that auditd will queue
235	    for it. A zero (0) value indicates not defined.
236	    This overrides the system's active queue control
237	    hiwater mark.
238
239	    and various attributes as defined on the plugin's man page
240	-->
241	<property_group name='audit_binfile' type='plugin' >
242		<propval name='active' type='boolean'
243			value='true' />
244		<propval name='path' type='astring'
245			value='audit_binfile.so' />
246		<propval name='qsize' type='count'
247			value='0' />
248		<propval name='p_dir' type='astring'
249			value='/var/audit' />
250		<propval name='p_minfree' type='count'
251			value='0' />
252		<propval name='p_fsize' type='count'
253			value='0' />
254		<property name='read_authorization' type='astring'>
255			<astring_list>
256				<value_node value='solaris.smf.manage.audit' />
257				<value_node value='solaris.smf.value.audit' />
258			</astring_list>
259		</property>
260		<propval name='value_authorization' type='astring'
261			value='solaris.smf.value.audit' />
262	</property_group>
263
264	<property_group name='audit_syslog' type='plugin' >
265		<propval name='active' type='boolean'
266			value='false' />
267		<propval name='path' type='astring'
268			value='audit_syslog.so' />
269		<propval name='qsize' type='count'
270			value='0' />
271		<propval name='p_flags' type='astring'
272			value='' />
273		<property name='read_authorization' type='astring'>
274			<astring_list>
275				<value_node value='solaris.smf.manage.audit' />
276				<value_node value='solaris.smf.value.audit' />
277			</astring_list>
278		</property>
279		<propval name='value_authorization' type='astring'
280			value='solaris.smf.value.audit' />
281	</property_group>
282
283	<property_group name='audit_remote' type='plugin' >
284		<propval name='active' type='boolean'
285			value='false' />
286		<propval name='path' type='astring'
287			value='audit_remote.so' />
288		<propval name='qsize' type='count'
289			value='0' />
290		<propval name='p_hosts' type='astring'
291			value='' />
292		<propval name='p_retries' type='count'
293			value='3' />
294		<propval name='p_timeout' type='count'
295			value='5' />
296		<property name='read_authorization' type='astring'>
297			<astring_list>
298				<value_node value='solaris.smf.manage.audit' />
299				<value_node value='solaris.smf.value.audit' />
300			</astring_list>
301		</property>
302		<propval name='value_authorization' type='astring'
303			value='solaris.smf.value.audit' />
304	</property_group>
305
306	</instance>
307
308	<stability value='Evolving' />
309
310	<template>
311		<common_name>
312			<loctext xml:lang='C'>
313				Solaris audit daemon
314			</loctext>
315		</common_name>
316		<documentation>
317			<manpage title='auditd'
318				section='1M'
319				manpath='/usr/share/man'/>
320			<manpage title='audit'
321				section='1M'
322				manpath='/usr/share/man'/>
323			<manpage title='auditconfig'
324				section='1M'
325				manpath='/usr/share/man'/>
326			<manpage title='audit_flags'
327				section='5'
328				manpath='/usr/share/man'/>
329			<manpage title='audit_binfile'
330				section='5'
331				manpath='/usr/share/man'/>
332			<manpage title='audit_syslog'
333				section='5'
334				manpath='/usr/share/man'/>
335			<manpage title='audit_remote'
336				section='5'
337				manpath='/usr/share/man'/>
338	         </documentation>
339	</template>
340
341</service>
342
343</service_bundle>
344