PSARC/2016/303 enable rsyslog as default Solaris logger
24362425 rsyslog should degrade service if syslog.conf has been modified
# Document the addition of UNIX sockets, which is now the default on Solaris.
# This patch was developed in-house and is suitable for upstream use.
#
--- man/man8/tcsd.8.in 2014-04-24 11:05:44.000000000 -0700
+++ man/man8/tcsd.8.in 2016-04-14 17:53:56.097075543 -0700
@@ -66,10 +66,11 @@
There are two types of access control for the \fBtcsd\fR, access to the
daemon's socket itself and access to specific commands internal to the
\fBtcsd\fR. Access to the \fBtcsd\fR's port should be controlled by the system
-administrator using firewall rules. If using iptables, the following rule
-will allow a specific host access to the tcsd:
-
-# iptables -A INPUT -s $IP_ADDRESS -p tcp --destination-port @TCSD_DEFAULT_PORT@ -j ACCEPT
+administrator using firewall rules.
+If port = 0 in /etc/security/tcsd.conf, \fBtcsd\R uses a UNIX Domain socket.
+Otherwise, \fBtcsd\fR uses a TCP port.
+By default the TCP port, when enabled, is accessible only from localhost,
+unless "remote_ops" in tcsd.conf is not empty.
Access to individual commands internal to the tcsd is configured by the
\fBtcsd\fR configuration file's "remote_ops" directive. Each function call
@@ -89,12 +90,32 @@
the TCS and stays valid across application lifetimes, \fBtcsd\fR restarts and
system resets. Data registered in system PS stays valid until an application
requests that it be removed. User PS files are by default stored as
-/var/tpm/user.{pid} and the system PS file by default is /var/tpm/system.data.
-The system PS file is initially created when ownership of the TPM is first
-taken.
+/var/user/$USERNAME/tpm/userps/user.data and the system PS file by default is
+/var/tpm/system/system.data. The system PS file is initially created when
+ownership of the TPM is first taken.
+.PP
+\fB/var/tpm/system/system.data\fR
+.ad
+.RS 4n
+Contains the system PS (persistent storage) data controlled by the TCS. By default,
+the SRK key is installed in PS and does not require owner authorization to use. If the
+TPM has previously been provisioned and owner-auth is required to load the SRK,
+then the /var/tpm/system/system.data.auth file should be moved to
+/var/tpm/system/system.data before starting the TCS (See NOTES).
+.RE
+.sp
+.PP
+\fB/var/tpm/system/system.data.auth\fR
+.ad
+.RS 4n
+This is the default PS data file to use if the TPM has been previously
+configured to require owner-auth to access the SRK. Copy this file
+to /var/tpm/system/system.data prior to starting the TCS if owner-auth is
+needed, otherwise this file can be ignored.
+.RE
.SH "CONFIGURATION"
-\fBtcsd\fR configuration is stored by default in /etc/tcsd.conf
+\fBtcsd\fR configuration is stored by default in /etc/security/tcsd.conf
.SH "DEBUG OUTPUT"
If TrouSerS has been compiled with debugging enabled, the debugging output
@@ -106,6 +127,9 @@
from http://ibmswtpm.sourceforge.net/ and the TPM device driver available
from http://sf.net/projects/tpmdd, which is also available in the upstream
Linux kernel and many Linux distros.
+It is also compatible with the TPM device driver for Oracle Solaris which is
+available in package driver/crypto/tpm.
+
.SH "CONFORMING TO"
.PP
@@ -114,10 +138,26 @@
.SH "SEE ALSO"
.PP
-\fBtcsd.conf\fR(5)
+\fBtcsd.conf\fR(5), \fBsvcadm\fR(8), \fBsmf\fR(7)
+
+.SH "NOTES"
+.sp
+.LP
+The \fBtcsd\fR service is managed by the service management facility, \fBsmf\fR(7), under
+the service identifier:
+.sp
+.in +2
+.nf
+svc:/application/security/tcsd:default
+.fi
+.in -2
+.sp
+.LP
+Administrative actions on this service, such as enabling, disabling, or requesting restart, can be
+performed using \fBsvcadm\fR(8). The service's status can be queried using the \fBsvcs\fR(1) command.
.SH "AUTHOR"
Kent Yoder
.SH "REPORTING BUGS"
-Report bugs to <@PACKAGE_BUGREPORT@>
+Report bugs to <[email protected]>