Note: This is an archival copy of Security Sun Alert 201042 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000776.1.
Solaris 9 Operating System
Date of Resolved Release
Solaris 9 systems with Basic Security Module (BSM) enabled (see bsmconv(1M)) and either patch 114332-08 for SPARC or 114929-06 for x86 installed will not have BSM/auditing functionality present after the system is rebooted.
Solaris 9 patches 114332-08 and 114929-06 are WITHDRAWN and are no longer available on SunSolve.
This issue can occur in the following releases:
A system has BSM enabled if the following "c2audit" line is present in the "/etc/system" file:
$ grep c2audit /etc/system set c2audit:audit_load = 1
When the system is rebooted the following messages will be displayed on the console during boot:
/etc/rc2.d/S99audit: /etc/security/audit_startup: cannot execute
Solaris 9 BSM enabled systems which have been rebooted will find that BSM/auditing has not been enabled correctly on the system. The auditconfig(1M) command will report the discrepancy, as in this example:
# auditconfig -chkaconf non-attributable event mismatch audit_control(lo) kernel(no)
# auditconfig -chkconf AUE_EXIT(1): CLASS MISMATCH: runtime class (no) != configured class (pc) AUE_FORK(2): CLASS MISMATCH: runtime class (no) != configured class (pc) AUE_OPEN(3): CLASS MISMATCH: runtime class (no) != configured class (fa) AUE_CREAT(4): CLASS MISMATCH: runtime class (no) != configured class (fc) AUE_LINK(5): CLASS MISMATCH: runtime class (no) != configured class (fc) ...
To work around the described issue, BSM/auditing functionality can be restored by running the following commands executed as the "root" user:
# /usr/bin/chmod 0744 /etc/security/audit_startup # /etc/init.d/audit stop # /etc/init.d/audit start
This will restore BSM/auditing functionality on BSM enabled systems.
This issue is addressed in the following release:
This solution has no attachment