Yet another small feature. I’m working on a blog entry about ZFS retention in the evenings, but it will take some time to complete it. So a blog entry about the addition of SMF audit records to admhist has to do it for today.
For quite a while you can get a log of system administration related event with the admhist command. Like for example the execution of of the ntpdate command.
# admhist
2024-07-09 17:29:13 jmoekamp /usr/sbin/ntpdate ntpdate ntp1.ptb.de
However since SRU 60 you can also see SMF events in the admhist output, showing you whats going on in regard of SMF administration.
In this example i’m restarting SSH.
2024-07-09 17:29:37 jmoekamp success create service instance property svc:/network/ssh:default/:properties/restarter_actions/auxiliary_tty
2024-07-09 17:29:37 jmoekamp success create service instance property svc:/network/ssh:default/:properties/restarter_actions/auxiliary_fmri
2024-07-09 17:29:37 jmoekamp success restart service instance svc:/network/ssh:default/:properties/restarter_actions/restart
2024-07-09 17:29:37 jmoekamp success create service instance property svc:/network/ssh:default/:properties/restarter_actions/restart
If you disable the sendmail service, you will find the following lines in the output of the admhist command.
2024-07-09 17:36:12 jmoekamp success create service instance property svc:/network/smtp:sendmail/:properties/restarter_actions/auxiliary_tty
2024-07-09 17:36:12 jmoekamp success create service instance property svc:/network/smtp:sendmail/:properties/restarter_actions/auxiliary_fmri
2024-07-09 17:36:12 jmoekamp success persistently disable service instance svc:/network/smtp:sendmail/:properties/general/enabled
2024-07-09 17:36:12 jmoekamp success change service instance property svc:/network/smtp:sendmail/:properties/general/enabled
Enabling it again won’t go unnoticed as well:
2024-07-09 17:36:30 jmoekamp success change service instance property svc:/network/smtp:sendmail/:properties/restarter_actions/auxiliary_tty
2024-07-09 17:36:30 jmoekamp success change service instance property svc:/network/smtp:sendmail/:properties/restarter_actions/auxiliary_fmri
2024-07-09 17:36:30 jmoekamp success persistently enable service instance svc:/network/smtp:sendmail/:properties/general/enabled
2024-07-09 17:36:30 jmoekamp success change service instance property svc:/network/smtp:sendmail/:properties/general/enabled
The data used for this output is in the Solaris Audit subsystem. You could get it with praudit as well.
header,192,2,persistently enable service instance,,testbed,2024-07-09 17:36:30.094+02:00
subject,jmoekamp,root,root,root,root,1003,1137086766,148 2 192.168.31.224
use of authorization,solaris.smf.modify
fmri,svc:/network/smtp:sendmail/:properties/general/enabled
return,success,0
You may recognize the output. However i think admhist is much more comfortable, as you don’t have to find out the name of the current audit trail file.
