Oracle Solaris 11.1 SMF Lab

Table of Contents

Exercise S.1: View SMF Authorizations
Exercise S.2: Examine Syslog Service
Exercise S.3: Customize the Syslog Service
Exercise S.4: Customize the Syslog Config File

Introduction

This set of exercises is designed to briefly demonstrate some aspects of the SMF Authorization policy in Oracle Solaris.

Passwords: User:lab Password:l1admin
Role:root Password:l1admin
Some of the exercises require the root role.

Exercise S.1: View SMF Authorizations

Task: Become familiar with SMF authorizaitons.

Lab: List some authorizations for SMF

oow@solaris:~$ oow@solaris:~$ auths list|grep smf
    solaris.smf.manage
    solaris.smf.manage.autofs
    solaris.smf.manage.bind
    solaris.smf.manage.coreadm
    solaris.smf.manage.cron
    solaris.smf.manage.extended-accounting.flow
    solaris.smf.manage.extended-accounting.net
    solaris.smf.manage.extended-accounting.process
    solaris.smf.manage.extended-accounting.task
    solaris.smf.manage.group
    solaris.smf.manage.hotplug
    solaris.smf.manage.ilb
    solaris.smf.manage.ipmp
    solaris.smf.manage.mdns
    solaris.smf.manage.name-service.*
    solaris.smf.manage.ndmp
    solaris.smf.manage.netphys
    solaris.smf.manage.rad
    solaris.smf.manage.rds
    solaris.smf.manage.routing
    solaris.smf.manage.sendmail
    solaris.smf.manage.shares
    solaris.smf.manage.smb
    solaris.smf.manage.smbfs
    solaris.smf.manage.system-log
...

oow@solaris:~$ oow@solaris:~$auths info -v solaris.smf.manage.system-log
    solaris.smf.manage.system-log
        Manage Syslog Service States

Back to top

Exercise S.2: Examine Syslog Service

Task:Look at the configuration of an SMF service.

Lab:In this exercise, you will use svcs and svccfg to examine the syslog service.

oow@solaris:~$ oow@solaris:~$ svcs -l system-log
fmri         svc:/system/system-log:default
name         system log
enabled      true
state        online
next_state   none
state_time   Wed Nov 07 12:23:31 2012
logfile      /var/svc/log/system-system-log:default.log
restarter    svc:/system/svc/restarter:default
contract_id  160 
manifest     /etc/svc/profile/generic.xml
manifest     /lib/svc/manifest/system/system-log.xml
dependency   require_all/none svc:/milestone/self-assembly-complete (online)
dependency   require_all/none svc:/system/filesystem/local (online)
dependency   optional_all/none svc:/system/filesystem/autofs (online)
dependency   require_all/none svc:/milestone/name-services (online)

oow@solaris:~$ svccfg -s system-log
svc:/system/system-log> listprop general
general                       framework          
general/action_authorization astring     solaris.smf.manage.system-log
general/entity_stability     astring     Unstable
general/single_instance      boolean     true
general/value_authorization  astring     solaris.smf.manage.system-log

svc:/system/system-log> listprop config
config                      application        
config/log_from_remote     boolean     false
config/value_authorization astring     solaris.smf.value.system-log

Back to top

Exercise S.3: Customize the Syslog Service

Task: Learn how to edit SMF properies.

.

Lab: Use the editprop subcommand to modify a property.

Custom PAM policies can assigned using the pam_policy keyword via useradd. By convention these custom files are maintained in /etc/security/pam_policy.

svc:/system/system-log> ]editprop
Change the remote boolean boolean from false to true. Then remove the comment characters from thee beginning of this line and the refresh entry. Save and exit.

svc:/system/system-log> listprop config
svc:/system/system-log> listprop config
config                      application        
config/log_from_remote     boolean     true
config/value_authorization astring     solaris.smf.value.system-log

Now set it back to false, and exit.

svc:/system/system-log> exit

Back to top

Exercise S.4: Customize the Syslog Config File

Task: This exercise demonstrates how to customize the traditional syslog.conf file. .

Lab: We will use the privileged editor, pfedit, to add PAM debugging to the syslog configuration.

oow@solaris:~$ auths list |grep syslog 
    solaris.admin.edit/etc/syslog.conf

oow@solaris:~$ pfedit /etc/syslog.conf

The lines for PAM debgging are already at the end of the file. Just add a comment, save, and exit. Then refresh the system service.

oow@solaris:~$ svcadm restart system-log 

Back to top

That concludes this lab session.