0N/A#! /sbin/sh
0N/A#
0N/A# CDDL HEADER START
0N/A#
0N/A# The contents of this file are subject to the terms of the
0N/A# Common Development and Distribution License (the "License").
0N/A# You may not use this file except in compliance with the License.
0N/A#
0N/A# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
0N/A# or http://www.opensolaris.org/os/licensing.
0N/A# See the License for the specific language governing permissions
0N/A# and limitations under the License.
0N/A#
0N/A# When distributing Covered Code, include this CDDL HEADER in each
0N/A# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
0N/A# If applicable, add the following below this CDDL HEADER, with the
0N/A# fields enclosed by brackets "[]" replaced with your own identifying
0N/A# information: Portions Copyright [yyyy] [name of copyright owner]
873N/A#
0N/A# CDDL HEADER END
0N/A#
0N/A
0N/A#
0N/A# Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
4088N/A#
5382N/A
0N/A. /lib/svc/share/smf_include.sh
1182N/A
0N/AAUDIT=/usr/sbin/audit
0N/AAUDITCONFIG=/usr/sbin/auditconfig
0N/AAUDITD=/usr/sbin/auditd
0N/AAWK=/usr/bin/awk
0N/AEGREP=/usr/bin/egrep
0N/AMV=/usr/bin/mv
0N/APKILL=/usr/bin/pkill
0N/ASLEEP=/usr/bin/sleep
0N/ASVCADM=/usr/sbin/svcadm
0N/ASVCCFG=/usr/sbin/svccfg
0N/ASVCS=/usr/bin/svcs
0N/A
560N/AAUDIT_STARTUP=/etc/security/audit_startup
4802N/AAUDITD_FMRI="system/auditd:default"
0N/A
0N/A#
0N/A# main - the execution starts there.
4802N/Amain()
560N/A{
0N/A #
4802N/A # Do the basic argument inspection and take the appropriate action.
0N/A case "$SMF_METHOD" in
560N/A start)
4802N/A do_common
560N/A do_start
0N/A ;;
0N/A refresh)
0N/A do_common
560N/A do_refresh
560N/A ;;
560N/A *)
560N/A if [ -z "$SMF_METHOD" ]; then
560N/A echo "$0: No SMF method defined."
560N/A else
560N/A echo "$0: Unsupported SMF method: $SMF_METHOD."
4802N/A fi
560N/A exit $SMF_EXIT_ERR_NOSMF
560N/A ;;
4802N/A esac
560N/A}
560N/A
560N/A#
560N/A# do_common - executes all the code common to all supported service methods.
560N/Ado_common()
560N/A{
560N/A #
560N/A # If the audit state is "disabled" auditconfig returns non-zero exit
560N/A # status unless the c2audit module is loaded; if c2audit is loaded,
560N/A # "disabled" becomes "noaudit" early in the boot cycle and "auditing"
560N/A # only after auditd starts.
0N/A AUDITCOND="`$AUDITCONFIG -getcond 2>/dev/null`"
0N/A if [ $? -ne 0 ]; then
0N/A # The decision whether to start
0N/A # auditing is driven by bsmconv(1M) / bsmunconv(1M)
1367N/A echo "$0: Unable to get current kernel auditing condition."
0N/A $SVCADM mark maintenance $AUDITD_FMRI
0N/A exit $SMF_EXIT_MON_OFFLINE
4312N/A fi
4312N/A #
0N/A # In a non-global zone, auditd is started/refreshed only if the
0N/A # "perzone" audit policy has been set.
0N/A if smf_is_nonglobalzone; then
0N/A $AUDITCONFIG -t -getpolicy | \
0N/A $EGREP "perzone|all" 1>/dev/null 2>&1
0N/A if [ $? -eq 1 ]; then
0N/A echo "$0: auditd(1M) is not configured to run in"
560N/A echo " a local zone, perzone policy not set" \
4312N/A "(see auditconfig(1M))."
0N/A $SVCADM disable $AUDITD_FMRI
4312N/A $SLEEP 5 &
560N/A exit $SMF_EXIT_OK
0N/A fi
4312N/A fi
4312N/A #
0N/A # Validate the audit service configuration
0N/A val_err="`$AUDIT -v 2>&1`"
4312N/A if [ $? -ne 0 ]; then
4312N/A echo "$0: audit service misconfiguration detected (${val_err})"
0N/A $SVCADM mark maintenance $AUDITD_FMRI
0N/A exit $SMF_EXIT_MON_OFFLINE
0N/A fi
3324N/A}
0N/A
0N/A#
0N/A# do_start - service start method helper.
0N/Ado_start()
0N/A{
0N/A #
0N/A # The transition of the audit_startup(1M) has to be performed.
0N/A if [ -f "$AUDIT_STARTUP" ]; then
0N/A
3324N/A if [ -x "$AUDIT_STARTUP" ]; then
3324N/A $AUDIT_STARTUP
5382N/A else
5382N/A echo "$0: Unable to execute $AUDIT_STARTUP"
5382N/A $SVCADM mark maintenance $AUDITD_FMRI
5382N/A exit $SMF_EXIT_MON_OFFLINE
5382N/A fi
3324N/A
3324N/A echo "$0: Transition of audit_startup(1M) started."
3324N/A
0N/A $MV $AUDIT_STARTUP $AUDIT_STARTUP._transitioned_
0N/A if [ $? -ne 0 ]; then
4802N/A # Unable to perform the backup of $AUDIT_STARTUP
4558N/A echo "$0: The $AUDIT_STARTUP was not moved to"
4558N/A echo " $AUDIT_STARTUP._transitioned_"
0N/A fi
3324N/A
0N/A #
0N/A # Refreshing service to make the newly created properties
0N/A # available for any other consequent svcprop(1).
4558N/A $SVCCFG -s $AUDITD_FMRI refresh
4558N/A if [ $? -ne 0 ]; then
4088N/A echo "$0: Refresh of $AUDITD_FMRI configuration failed."
4558N/A $SVCADM mark maintenance $AUDITD_FMRI
4558N/A exit $SMF_EXIT_ERR_CONFIG
4558N/A fi
4558N/A
4558N/A echo "$0: Transition of audit_startup(1M) finished."
4558N/A fi
0N/A
0N/A #
4558N/A # Daemon forks, parent exits when child says it's ready.
4558N/A exec $AUDITD
4558N/A}
4558N/A
4558N/A#
4558N/A# do_refresh - service refresh method helper.
4558N/Ado_refresh()
4802N/A{
4558N/A #
4558N/A # The refresh capability is available only for those systems
4558N/A # with already transformed audit_startup(1M) into $AUDITD_FMRI
4558N/A # service properties. See do_start() for more information.
0N/A if [ ! -f "$AUDIT_STARTUP" ]; then
#
# Find the contract_id.
contract_id=`$SVCS -l $AUDITD_FMRI | \
$AWK '/^contract_id/ {print $2}'`
if [ -z "${contract_id}" ]; then
echo "$0: Service $AUDITD_FMRI has no associated" \
"contract. Service cannot be refreshed."
exit $SMF_EXIT_ERR_FATAL
fi
#
# signal to auditd(1M):
$PKILL -HUP -c ${contract_id}
if [ $? -ne 0 ]; then
echo "$0: SIGHUP was not successfully delivered to" \
"the related contract (${contract_id}/err:$?)."
$SVCADM mark maintenance $AUDITD_FMRI
exit $SMF_EXIT_ERR_FATAL
fi
$SLEEP 5 &
else
echo "$0: Service refresh method not supported on systems" \
"without converted audit_startup(1M) into auditd service" \
"SMF configuration. Clear the service (svcadm(1M))."
$SVCADM mark maintenance $AUDITD_FMRI
exit $SMF_EXIT_ERR_CONFIG
fi
}
#
# Call main() to start the own script execution.
main