The Solaris Basic Security Model (BSM) audit daemon (
provides a detailed, (potentially) off-host audit record of
executed processes, file activity, logins/logouts, etc and
can contribute to US DoD C2-class TCSEC certification.
The audit subsystem generates events. The configuration is chosen
by the administrator to select only interesting events for that
environment. These events are queued to configurable plugin event
handlers defined in
Solaris 10 provides two such plugins which are shared objects in
audit_binfile.so— default plugin; writes binary audit data to files.
audit_syslog.so— optional; sends formatted messages to the
OpenSolaris/Solaris 11 provides a third:
audit_remote.so— optional, transmits audit messages securely via a GSS authenticated session to a remote server.
If we could write our own plugin we could:
auditd(1M) plugin API in Solaris 10 and 11 is
private. The functions that we need to implement are:
Their prototypes can be found in
The simplest way to understand these functions is to
read the OpenSolaris implementations under
/* * auditd_plugin_open(), auditd_plugin() and auditd_plugin_close() * implement a replaceable library for use by auditd; they are a * project private interface and may change without notice. */
It looks like this API was going to be opened at some point but I wouldn't count on that today.
Other useful BSM functions are provided in
If that hasn't put you off, here is a quick synopsis of the three functions to be implemented.
auditd_plugin_open() initializes the plugin from the values
defined in the
auditd_rc_t auditd_plugin_open( const kva_t *kvlist, char **ret_list, char **error_text);
audit_plugin() processes one record from the audit subsystem. This
is where the action happens.
auditd_rc_t auditd_plugin( const char *buffer, size_t buf_len, uint32_t sequence, char **error_text);
auditd_plugin_close() performs shutdown/cleanup operations for the
plugin when the audit daemon terminates.
auditd_rc_t auditd_plugin_close( char **error_text);
Implementing the above three functions is not difficult but there are some not-immediately-obvious things to be aware of:
audit_plugin(3)manual page, in particular for details of what happens if the call to
audit_plugin()blocks ("can cause the system to come to a standstill") and for the warning to avoid installing your own sighandlers. (Other points are dated).
<security/auditd.h>regarding the fact that
auditd_plugin_open()trashes its second and third arguments before return (dup before calling).