Category
Security
Release Phase
Resolved
ProductSolaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Bug Id
4503182
Date of Resolved Release03-FEB-2004
Impact
Solaris systems with Basic Security Module (BSM) enabled which have been security hardened may have had the SUNWscpu package removed. If this is the case, the BSM audit_warn(1M) script will not e-mail any errors or warning messages generated by the audit daemon (auditd(1M)).
The SUNWCscp cluster provides source compatibility support for Solaris 1.0 (previously known as SunOS 4.X) and the SUNWscpu package contains the mail(1b) command which the BSM audit_warn(1M) relies on.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
-
Solaris 7
-
Solaris 8 without patch 116610-01
-
Solaris 9 without patch 116247-01
x86 Platform
-
Solaris 7
-
Solaris 8 without patch 116611-01
-
Solaris 9 without patch 116248-01
This issue only affects BSM enabled systems which do not have the SUNWscpu package installed.
To determine if a system has BSM enabled, the following line will appear in the "/etc/system" file:
$ grep c2audit /etc/system
set c2audit:audit_load = 1
To determine if the SUNWscpu package is installed on a system, the pkginfo(1) command will display output similar to the following:
$ pkginfo SUNWscpu
system SUNWscpu Source Compatibility, (Usr)
Symptoms
There are no reliable symptoms that would show the described issue has occurred on a system.
Workaround
Sites which have removed the SUNWscpu package could edit the audit_warn(1M) script by hand to change all occurrences of mail(1b) to mailx(1).
For example, change all lines which reference /usr/ucb/mail:
/usr/ucb/mail -s "$SUBJECT" audit_warn
To:
/usr/bin/mailx:
/usr/bin/mailx -s "$SUBJECT" audit_warn
Resolution
This issue is addressed in the following releases:
SPARC Platform
-
Solaris 8 with patch 116610-01 or later
-
Solaris 9 with patch 116247-01 or later
x86 Platform
-
Solaris 8 with patch 116611-01 or later
-
Solaris 9 with patch 116248-01 or later
Note: Sites using Solaris 7 will need to upgrade to Solaris 8 or Solaris 9 and apply the relevant patches.
Modification History
References
116247-01
116610-01
116611-01
116248-01
AttachmentsThis solution has no attachment