Note: This is an archival copy of Security Sun Alert 201310 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000987.1.
Solaris 9 Operating System
Date of Resolved Release
Solaris 9 systems with Solaris Auditing (see bsmconv(1M)) enabled and with the sshd(1M) patches installed as listed in section 2 below will contain audit records with an incorrect audit-ID. In addition, incomplete audit classes may be selected for users logging in via ssh(1).
This issue can occur in the following releases:
To determine if Solaris Auditing is enabled on a system, a command such as the following can be used to search the "/etc/system" file for a reference to the "c2audit" kernel module:
$ grep c2audit /etc/system set c2audit:audit_load = 1
After logging in to a Solaris 9 system using ssh(1) as a non-root user, the audit-ID of the login shell process will be zero. A command such as the following can be run as either 'root' user or as a user assigned the 'Audit Control' execution profile (see rbac(5)) to determine the audit-ID of a running process on the system:
# auditconfig -getpinfo <process ID> | grep 'audit id' audit id = root(0)
If the above audit-ID output is seen for a process ID of a non-root user who has logged in via ssh(1), then this issue has occurred on the system.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
Note: The resolution for this issue applies to future audit records. The patches do not modify existing audit records already written to the audit.log(4).
For more information on Security Sun Alerts, see Sun 1009886.1.
This solution has no attachment