Yet another small feature. I’m working on a blog entry about ZFS retention in the evenings, but it will take some time to complete it. So a blog entry about the addition of SMF audit records to admhist has to do it for today.
For quite a while you can get a log of system administration related events with the admhist command. Like for example the execution of the ntpdate command.
# admhist
2024-07-09 17:29:13 jmoekamp /usr/sbin/ntpdate ntpdate ntp1.ptb.de
However, since SRU 60 you can also see SMF events in the admhist output, showing you what’s going on in regard to SMF administration.
In this example I’m restarting SSH.
2024-07-09 17:29:37 jmoekamp success create service instance property svc:/network/ssh:default/:properties/restarter_actions/auxiliary_tty
2024-07-09 17:29:37 jmoekamp success create service instance property svc:/network/ssh:default/:properties/restarter_actions/auxiliary_fmri
2024-07-09 17:29:37 jmoekamp success restart service instance svc:/network/ssh:default/:properties/restarter_actions/restart
2024-07-09 17:29:37 jmoekamp success create service instance property svc:/network/ssh:default/:properties/restarter_actions/restart
If you disable the sendmail service, you will find the following lines in the output of the admhist command.
2024-07-09 17:36:12 jmoekamp success create service instance property svc:/network/smtp:sendmail/:properties/restarter_actions/auxiliary_tty
2024-07-09 17:36:12 jmoekamp success create service instance property svc:/network/smtp:sendmail/:properties/restarter_actions/auxiliary_fmri
2024-07-09 17:36:12 jmoekamp success persistently disable service instance svc:/network/smtp:sendmail/:properties/general/enabled
2024-07-09 17:36:12 jmoekamp success change service instance property svc:/network/smtp:sendmail/:properties/general/enabled
Enabling it again won’t go unnoticed as well:
2024-07-09 17:36:30 jmoekamp success change service instance property svc:/network/smtp:sendmail/:properties/restarter_actions/auxiliary_tty
2024-07-09 17:36:30 jmoekamp success change service instance property svc:/network/smtp:sendmail/:properties/restarter_actions/auxiliary_fmri
2024-07-09 17:36:30 jmoekamp success persistently enable service instance svc:/network/smtp:sendmail/:properties/general/enabled
2024-07-09 17:36:30 jmoekamp success change service instance property svc:/network/smtp:sendmail/:properties/general/enabled
The data used for this output is in the Solaris Audit subsystem. You could get it with praudit as well.
header,192,2,persistently enable service instance,,testbed,2024-07-09 17:36:30.094+02:00
subject,jmoekamp,root,root,root,root,1003,1137086766,148 2 192.168.31.224
use of authorization,solaris.smf.modify
fmri,svc:/network/smtp:sendmail/:properties/general/enabled
return,success,0
You may recognise the output. However, I think admhist is much more comfortable, as you don’t have to find out the name of the current audit trail file.
