Always-on Audit

No Reboot Audit

No Reboot Audit Project covered by PSARC/2009/354/ provides ability to enable/disable Solaris Auditing without requiring a reboot.

Current system behavior

Historically, Solaris Auditing required the administrator to run
the now obsolete bsmconv(1m) command, configure auditing and reboot.
To disable auditing the administrator had to run the now obsolete

 command and reboot. One of the current bsmconv(1m)
functions is to modify system(4) to load the Solaris Audit kernel
module (set c2audit:audit_load = 1), thus requiring the reboot, and
to enable the audit service. Similarly, when the auditing is being disabled, bsmunconv(1m) modifies system(4) to unload the Solaris Audit kernel module (by adding set c2audit:audit_load = 0) and disables the audit service.

New system behavior

The modification of system(4) and the implied reboot will not be required
to enable/disable the Solaris Auditing anymore. The Solaris Auditing will always be available to be configured and then
enabled either by bsmconv(1m) if device allocation is also desired or by

s.  Solaris Auditing can similarly be disabled by running

 or by audit(1m) -t.

While audit -s/-t is the preferred, documented, and historic interface for
enabling/refreshing/disabling the audit daemon, svcadm enable/refresh/disable svc:/system/auditd will work as well.

It will still remain possible not to load the Solaris Audit kernel module by
setting the appropriate directive (exclude:c2audit) in system(4).

Notes on the implementation

• Reduce the impact of auditing on the system performance by instructing the kernel to invoke the audit related processing only in the zone(s) with auditing enabled.
• Optimize pre/post-syscall hooks so that only threads "living" in the zone(s) with auditing enabled enter the pre/post-syscall phases.
• Make the way how are threads notified that pre/post-syscall phases should be entered more efficient.
• Introduce a cache preserving the zone audit state integrity during the system call processing.
• Remove the global audit state. The audit state is to be checked in zones audit properties.
• Update bsmconv(1m) and bsmunconv(1m)
• not to modify system(4) in order to enable/disable the Solaris Auditing and
• to start/stop the audit daemon.
• Modify audit(1m) so that -t parameter disables the auditing service permanently.
• Update bsmconv(1m), bsmunconv(1m), auditd(1m), audit(1m) man pages and the related documentation to reflect the new system behavior.