17c478bd9Sstevel@tonic-gate#! /sbin/sh 27c478bd9Sstevel@tonic-gate# 37c478bd9Sstevel@tonic-gate# CDDL HEADER START 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 66927f468Sdp# Common Development and Distribution License (the "License"). 76927f468Sdp# You may not use this file except in compliance with the License. 87c478bd9Sstevel@tonic-gate# 97c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate# and limitations under the License. 137c478bd9Sstevel@tonic-gate# 147c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate# 207c478bd9Sstevel@tonic-gate# CDDL HEADER END 217c478bd9Sstevel@tonic-gate# 227c478bd9Sstevel@tonic-gate# 23*8523fda3SJan Friedel# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 247c478bd9Sstevel@tonic-gate# Use is subject to license terms. 257c478bd9Sstevel@tonic-gate# 267c478bd9Sstevel@tonic-gate 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate. /lib/svc/share/smf_include.sh 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gateAUDITCONFIG=/usr/sbin/auditconfig 31*8523fda3SJan FriedelAUDITD=/usr/sbin/auditd 32*8523fda3SJan FriedelAWK=/usr/bin/awk 33*8523fda3SJan FriedelEGREP=/usr/bin/egrep 34*8523fda3SJan FriedelMV=/usr/bin/mv 35*8523fda3SJan FriedelPKILL=/usr/bin/pkill 36*8523fda3SJan FriedelSLEEP=/usr/bin/sleep 37*8523fda3SJan FriedelSVCADM=/usr/sbin/svcadm 38*8523fda3SJan FriedelSVCCFG=/usr/sbin/svccfg 39*8523fda3SJan FriedelSVCS=/usr/bin/svcs 407c478bd9Sstevel@tonic-gate 41*8523fda3SJan FriedelAUDIT_STARTUP=/etc/security/audit_startup 42*8523fda3SJan FriedelAUDITD_FMRI="system/auditd:default" 437c478bd9Sstevel@tonic-gate 44*8523fda3SJan Friedel 45*8523fda3SJan Friedel# 46*8523fda3SJan Friedel# main - the execution starts there. 47*8523fda3SJan Friedelmain() 48*8523fda3SJan Friedel{ 49*8523fda3SJan Friedel # 50*8523fda3SJan Friedel # Do the basic argument inspection and take the appropriate action. 51*8523fda3SJan Friedel case "$SMF_METHOD" in 52*8523fda3SJan Friedel start) 53*8523fda3SJan Friedel do_common 54*8523fda3SJan Friedel do_start 55*8523fda3SJan Friedel ;; 56*8523fda3SJan Friedel refresh) 57*8523fda3SJan Friedel do_common 58*8523fda3SJan Friedel do_refresh 59*8523fda3SJan Friedel ;; 60*8523fda3SJan Friedel *) 61*8523fda3SJan Friedel if [ -z "$SMF_METHOD" ]; then 62*8523fda3SJan Friedel echo "$0: No SMF method defined." 63*8523fda3SJan Friedel else 64*8523fda3SJan Friedel echo "$0: Unsupported SMF method: $SMF_METHOD." 65*8523fda3SJan Friedel fi 66*8523fda3SJan Friedel exit $SMF_EXIT_ERR_NOSMF 67*8523fda3SJan Friedel ;; 68*8523fda3SJan Friedel esac 69*8523fda3SJan Friedel} 70*8523fda3SJan Friedel 71*8523fda3SJan Friedel 72*8523fda3SJan Friedel# 73*8523fda3SJan Friedel# do_common - executes all the code common to all supported service methods. 74*8523fda3SJan Friedeldo_common() 75*8523fda3SJan Friedel{ 76*8523fda3SJan Friedel # 77*8523fda3SJan Friedel # If the audit state is "disabled" auditconfig returns non-zero exit 78*8523fda3SJan Friedel # status unless the c2audit module is loaded; if c2audit is loaded, 79*8523fda3SJan Friedel # "disabled" becomes "noaudit" early in the boot cycle and "auditing" 80*8523fda3SJan Friedel # only after auditd starts. 81*8523fda3SJan Friedel AUDITCOND="`$AUDITCONFIG -getcond 2>/dev/null`" 827c478bd9Sstevel@tonic-gate if [ $? -ne 0 ]; then 837c478bd9Sstevel@tonic-gate # The decision whether to start 84*8523fda3SJan Friedel # auditing is driven by bsmconv(1M) / bsmunconv(1M) 85*8523fda3SJan Friedel echo "$0: Unable to get current kernel auditing condition." 86*8523fda3SJan Friedel $SVCADM mark maintenance $AUDITD_FMRI 87*8523fda3SJan Friedel exit $SMF_EXIT_MON_OFFLINE 887c478bd9Sstevel@tonic-gate fi 89*8523fda3SJan Friedel # 90*8523fda3SJan Friedel # In a non-global zone, auditd is started/refreshed only if the 91*8523fda3SJan Friedel # "perzone" audit policy has been set. 926927f468Sdp if smf_is_nonglobalzone; then 93*8523fda3SJan Friedel $AUDITCONFIG -t -getpolicy | \ 94*8523fda3SJan Friedel $EGREP "perzone|all" 1>/dev/null 2>&1 957c478bd9Sstevel@tonic-gate if [ $? -eq 1 ]; then 96e1a4a99eSpr131582 echo "$0: auditd is not configured to run in a local" 97*8523fda3SJan Friedel echo " zone, perzone policy not set" \ 98*8523fda3SJan Friedel "(see auditconfig(1M))." 99*8523fda3SJan Friedel $SVCADM disable $AUDITD_FMRI 100*8523fda3SJan Friedel $SLEEP 5 & 101*8523fda3SJan Friedel exit $SMF_EXIT_OK 1027c478bd9Sstevel@tonic-gate fi 1037c478bd9Sstevel@tonic-gate fi 104*8523fda3SJan Friedel} 1057c478bd9Sstevel@tonic-gate 106*8523fda3SJan Friedel# 107*8523fda3SJan Friedel# do_start - service start method helper. 108*8523fda3SJan Friedeldo_start() 109*8523fda3SJan Friedel{ 110*8523fda3SJan Friedel # 111*8523fda3SJan Friedel # The transition of the audit_startup(1M) has to be performed. 112*8523fda3SJan Friedel if [ -f "$AUDIT_STARTUP" ]; then 1137c478bd9Sstevel@tonic-gate 114*8523fda3SJan Friedel if [ -x "$AUDIT_STARTUP" ]; then 115*8523fda3SJan Friedel $AUDIT_STARTUP 116*8523fda3SJan Friedel else 117*8523fda3SJan Friedel echo "$0: Unable to execute $AUDIT_STARTUP" 118*8523fda3SJan Friedel $SVCADM mark maintenance $AUDITD_FMRI 119*8523fda3SJan Friedel exit $SMF_EXIT_MON_OFFLINE 120*8523fda3SJan Friedel fi 121*8523fda3SJan Friedel 122*8523fda3SJan Friedel echo "$0: Transition of audit_startup(1M) started." 123*8523fda3SJan Friedel 124*8523fda3SJan Friedel $MV $AUDIT_STARTUP $AUDIT_STARTUP._transitioned_ 125*8523fda3SJan Friedel if [ $? -ne 0 ]; then 126*8523fda3SJan Friedel # Unable to perform the backup of $AUDIT_STARTUP 127*8523fda3SJan Friedel echo "$0: The $AUDIT_STARTUP was not moved to" 128*8523fda3SJan Friedel echo " $AUDIT_STARTUP._transitioned_" 129*8523fda3SJan Friedel fi 130*8523fda3SJan Friedel 131*8523fda3SJan Friedel # 132*8523fda3SJan Friedel # Refreshing service to make the newly created properties 133*8523fda3SJan Friedel # available for any other consequent svcprop(1). 134*8523fda3SJan Friedel $SVCCFG -s $AUDITD_FMRI refresh 135*8523fda3SJan Friedel if [ $? -ne 0 ]; then 136*8523fda3SJan Friedel echo "$0: Refresh of $AUDITD_FMRI configuration failed." 137*8523fda3SJan Friedel $SVCADM mark maintenance $AUDITD_FMRI 138*8523fda3SJan Friedel exit $SMF_EXIT_ERR_CONFIG 139*8523fda3SJan Friedel fi 140*8523fda3SJan Friedel 141*8523fda3SJan Friedel echo "$0: Transition of audit_startup(1M) finished." 142*8523fda3SJan Friedel fi 143*8523fda3SJan Friedel 144*8523fda3SJan Friedel # 145*8523fda3SJan Friedel # Daemon forks, parent exits when child says it's ready. 146*8523fda3SJan Friedel exec $AUDITD 147*8523fda3SJan Friedel} 148*8523fda3SJan Friedel 149*8523fda3SJan Friedel# 150*8523fda3SJan Friedel# do_refresh - service refresh method helper. 151*8523fda3SJan Friedeldo_refresh() 152*8523fda3SJan Friedel{ 153*8523fda3SJan Friedel # 154*8523fda3SJan Friedel # The refresh capability is available only for those systems 155*8523fda3SJan Friedel # with already transformed audit_startup(1M) into $AUDITD_FMRI 156*8523fda3SJan Friedel # service properties. See do_start() for more information. 157*8523fda3SJan Friedel if [ ! -f "$AUDIT_STARTUP" ]; then 158*8523fda3SJan Friedel # 159*8523fda3SJan Friedel # Find the contract_id. 160*8523fda3SJan Friedel contract_id=`$SVCS -l $AUDITD_FMRI | \ 161*8523fda3SJan Friedel $AWK '/^contract_id/ {print $2}'` 162*8523fda3SJan Friedel if [ -z "${contract_id}" ]; then 163*8523fda3SJan Friedel echo "$0: Service $AUDITD_FMRI has no associated" \ 164*8523fda3SJan Friedel "contract. Service cannot be refreshed." 165*8523fda3SJan Friedel exit $SMF_EXIT_ERR_FATAL 166*8523fda3SJan Friedel fi 167*8523fda3SJan Friedel # 168*8523fda3SJan Friedel # signal to auditd(1M): 169*8523fda3SJan Friedel $PKILL -HUP -c ${contract_id} 170*8523fda3SJan Friedel if [ $? -ne 0 ]; then 171*8523fda3SJan Friedel echo "$0: SIGHUP was not successfully delivered to" \ 172*8523fda3SJan Friedel "the related contract (${contract_id}/err:$?)." 173*8523fda3SJan Friedel $SVCADM mark maintenance $AUDITD_FMRI 174*8523fda3SJan Friedel exit $SMF_EXIT_ERR_FATAL 175*8523fda3SJan Friedel fi 176*8523fda3SJan Friedel $SLEEP 5 & 177*8523fda3SJan Friedel else 178*8523fda3SJan Friedel echo "$0: Service refresh method not supported on systems" \ 179*8523fda3SJan Friedel "without converted audit_startup(1M) into auditd service" \ 180*8523fda3SJan Friedel "SMF configuration. Clear the service (svcadm(1M))." 181*8523fda3SJan Friedel $SVCADM mark maintenance $AUDITD_FMRI 182*8523fda3SJan Friedel exit $SMF_EXIT_ERR_CONFIG 183*8523fda3SJan Friedel fi 184*8523fda3SJan Friedel} 185*8523fda3SJan Friedel 186*8523fda3SJan Friedel 187*8523fda3SJan Friedel# 188*8523fda3SJan Friedel# Call main() to start the own script execution. 189*8523fda3SJan Friedelmain 190