1 #! /bin/sh 2 # 3 # 4 # CDDL HEADER START 5 # 6 # The contents of this file are subject to the terms of the 7 # Common Development and Distribution License (the "License"). 8 # You may not use this file except in compliance with the License. 9 # 10 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 11 # or http://www.opensolaris.org/os/licensing. 12 # See the License for the specific language governing permissions 13 # and limitations under the License. 14 # 15 # When distributing Covered Code, include this CDDL HEADER in each 16 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. 17 # If applicable, add the following below this CDDL HEADER, with the 18 # fields enclosed by brackets "[]" replaced with your own identifying 19 # information: Portions Copyright [yyyy] [name of copyright owner] 20 # 21 # CDDL HEADER END 22 # 23 # Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 # Use is subject to license terms. 25 # 26 27 PROG=bsmconv 28 DEVALLOC=/etc/security/device_allocate 29 DEVMAPS=/etc/security/device_maps 30 TEXTDOMAIN="SUNW_OST_OSCMD" 31 export TEXTDOMAIN 32 33 # Perform required permission checks, depending on value of LOCAL_ROOT 34 # (whether we are converting the active OS or just alternative boot 35 # environments). 36 permission() 37 { 38 ZONE=`/sbin/zonename` 39 if [ ! "$ZONE" = "global" -a "$LOCAL_ROOT" = "true" ] 40 then 41 form=`gettext "%s: ERROR: you must be in the global zone to run this script."` 42 printf "${form}\n" $PROG 43 exit 1 44 fi 45 46 WHO=`id | cut -f1 -d" "` 47 if [ ! "$WHO" = "uid=0(root)" ] 48 then 49 form=`gettext "%s: ERROR: you must be super-user to run this script."` 50 printf "${form}\n" $PROG 51 exit 1 52 fi 53 54 RESP="x" 55 while [ "$RESP" != `gettext "y"` -a "$RESP" != `gettext "n"` ] 56 do 57 gettext "This script is used to enable Solaris Auditing and device allocation.\n" 58 form=`gettext "Shall we continue with the conversion now? [y/n]"` 59 echo "$form \c" 60 read RESP 61 done 62 63 if [ "$RESP" = `gettext "n"` ] 64 then 65 form=`gettext "%s: INFO: aborted, due to user request."` 66 printf "${form}\n" $PROG 67 exit 2 68 fi 69 } 70 71 # Do some sanity checks to see if the arguments to bsmconv 72 # are, in fact, root directories for clients. 73 sanity_check() 74 { 75 for ROOT in $@ 76 do 77 78 if [ -d $ROOT -a -w $ROOT -a -f $ROOT/etc/system -a -d $ROOT/usr ] 79 then 80 # There is a root directory to write to, 81 # so we can potentially complete the conversion. 82 : 83 else 84 form=`gettext "%s: ERROR: %s doesn't look like a client's root."` 85 printf "${form}\n" $PROG $ROOT 86 form=`gettext "%s: ABORTED: nothing done."` 87 printf "${form}\n" $PROG 88 exit 4 89 fi 90 done 91 } 92 93 # bsmconvert 94 # All the real work gets done in this function 95 96 bsmconvert() 97 { 98 99 # Prevent automount of removable and hotpluggable volumes 100 # by forcing volume.ignore HAL property on all such volumes. 101 if [ -d ${ROOT}/etc/hal/fdi ] ; then 102 cat > ${ROOT}/etc/hal/fdi/policy/30user/90-solaris-device-allocation.fdi <<FDI 103 <?xml version="1.0" encoding="UTF-8"?> 104 <deviceinfo version="0.2"> 105 <device> 106 <match key="info.capabilities" contains="volume"> 107 <match key="@block.storage_device:storage.removable" bool="true"> 108 <merge key="volume.ignore" type="bool">true</merge> 109 </match> 110 <match key="@block.storage_device:storage.hotpluggable" bool="true"> 111 <merge key="volume.ignore" type="bool">true</merge> 112 </match> 113 </match> 114 </device> 115 </deviceinfo> 116 FDI 117 fi 118 119 # Turn on auditing in the loadable module 120 121 form=`gettext "%s: INFO: turning on audit module."` 122 printf "${form}\n" $PROG 123 if [ ! -f ${ROOT}/etc/system ] 124 then 125 echo "" > ${ROOT}/etc/system 126 fi 127 128 grep -v "c2audit:audit_load" ${ROOT}/etc/system > /tmp/etc.system.$$ 129 echo "set c2audit:audit_load = 1" >> /tmp/etc.system.$$ 130 mv /tmp/etc.system.$$ ${ROOT}/etc/system 131 grep "set c2audit:audit_load = 1" ${ROOT}/etc/system > /dev/null 2>&1 132 if [ $? -ne 0 ] 133 then 134 form=`gettext "%s: ERROR: cannot 'set c2audit:audit_load = 1' in %s/etc/system"` 135 printf "${form}\n" $PROG $ROOT 136 form=`gettext "%s: Continuing ..."` 137 printf "${form}\n" $PROG 138 fi 139 140 # Initialize device allocation 141 142 form=`gettext "%s: INFO: initializing device allocation."` 143 printf "${form}\n" $PROG 144 145 # Need to determine if Trusted Extensions is enabled. This is tricky 146 # because we need to know if TX will be active on the boot following 147 # bsmconv. Check the setting in etc/system (other methods won't work 148 # because TX is likely not yet fully active.) 149 # 150 grep "^[ ]*set[ ][ ]*sys_labeling[ ]*=[ ]*1" \ 151 $ROOT/etc/system > /dev/null 2>&1 152 153 if [ $? = 0 ]; then 154 # Trusted Extensions is enabled (but possibly not yet booted). 155 # This is not currently done for alternate boot environments. 156 if [ -z "$ROOT" -o "$ROOT" = "/" ] 157 then 158 /usr/sbin/devfsadm -e 159 fi 160 else 161 if [ ! -f ${ROOT}/${DEVALLOC} ] 162 then 163 mkdevalloc > ${ROOT}/$DEVALLOC 164 fi 165 if [ ! -f ${ROOT}/${DEVMAPS} ] 166 then 167 mkdevmaps > ${ROOT}/$DEVMAPS 168 fi 169 fi 170 171 # enable auditd at next boot. 172 cat >> ${ROOT}/var/svc/profile/upgrade <<SVC_UPGRADE 173 /usr/sbin/svcadm enable system/auditd 174 SVC_UPGRADE 175 } 176 177 # main loop 178 179 sanity_check $@ 180 if [ $# -eq 0 ] 181 then 182 # converting local root, perform all permission checks 183 LOCAL_ROOT=true 184 permission 185 186 ROOT= 187 bsmconvert 188 189 echo 190 gettext "Solaris Auditing and device allocation is ready.\n" 191 gettext "If there were any errors, please fix them now.\n" 192 gettext "Configure Solaris Auditing and device allocation by editing " 193 gettext "files\nlocated in /etc/security.\n" 194 gettext "Reboot this system now to come up with auditing " 195 gettext "and device allocation enabled.\n" 196 else 197 # determine if local root is being converted ("/" passed on 198 # command line), if so, full permission check required 199 LOCAL_ROOT=false 200 for ROOT in $@ 201 do 202 if [ "$ROOT" = "/" ] 203 then 204 LOCAL_ROOT=true 205 fi 206 done 207 208 # perform required permission checks (depending on value of 209 # LOCAL_ROOT) 210 permission 211 212 for ROOT in $@ 213 do 214 form=`gettext "%s: INFO: converting boot environment %s ..."` 215 printf "${form}\n" $PROG $ROOT 216 bsmconvert $ROOT 217 form=`gettext "%s: INFO: done with boot environment %s"` 218 printf "${form}\n" $PROG $ROOT 219 done 220 echo 221 gettext "Solaris Auditing and device allocation is ready.\n" 222 gettext "If there were any errors, please fix them now.\n" 223 gettext "Configure Solaris auditing and device allocation by editing " 224 gettext "files\nlocated in /etc/security in the root directories " 225 gettext "of each host converted.\n" 226 gettext "Reboot each system converted to come up with auditing " 227 gettext "and device\nallocation enabled.\n" 228 fi 229 230 exit 0 231
Indexes created Fri Nov 27 10:43:50 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.