Note: This is an archival copy of Security Sun Alert 201924 as previously published on
Latest version of this security advisory is available from as Sun Alert 1001424.1.
Article ID : 1001424.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-07-15
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Anonymous FTP Sessions are not Audited When the Basic Security Module (BSM) is Used


Release Phase

Solaris 2.5.1
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id

Date of Workaround Release

Date of Resolved Release


Basic Security Module (BSM) auditing of "anonymous" FTP user(s) may not be successful. However, BSM auditing of other FTP users is not affected in any way.

Note: BSM auditing is not the same as FTP logging. Please see the manual page for in.ftpd(1M) and the "-l" option.

Contributing Factors

This issue can occur in the following releases:


  • Solaris 2.5.1
  • Solaris 2.6
  • Solaris 7
  • Solaris 8


  • Solaris 2.5.1
  • Solaris 2.6
  • Solaris 7
  • Solaris 8

Note: This issue is only possible if both of the following are configured:

  1. The Basic Security Module (BSM) has been enabled. (See bsmconv(1M) for more information)
  2. Anonymous FTP access is allowed. (See in.ftpd(1M) for more information)


When the described issue occurs, audit information of the "anonymous" FTP user(s) will not be present in the audit trail file. Please see the manual page for audit.log(4).

The exact nature of "Audit Information" depends on the classes/events which have been configured for auditing on that host. See audit_event(4) and audit_class(4).

The following command can be used to retrieve auditing information for the FTP user:

	# auditreduce -u ftp  | praudit


The workaround for this issue is to copy the auditing files (/etc/security/audit_*) from /etc/security to <ftp-user-home>/etc/security. (<ftp-user-home> refers to the home of the "anonymous" FTP user).

The following command should output <ftp-user-home>:

	# getent passwd ftp | cut -d: -f6

The steps to implement the workaround are as follows:

a) Login as superuser (root).

b) Create a /etc/security directory under <ftp-user-home>:

	# mkdir -m 755 `getent passwd ftp | cut -d: -f6`/etc/security

c) Copy the auditing files from /etc/security to <ftp-user-home>/etc/security:

	# cp -p /etc/security/audit_* `getent passwd ftp | cut -d: -f6`/etc/security

After this has been done, all future FTP sessions of the "anonymous" FTP user will be audited.

If any changes are made to the auditing files (/etc/security/audit_* ) they should again be copied to <ftp-user-home>/etc/security as described above.


This issue will not be addressed in patches. The workaround provided above in "Relief/Workaround" is the final resolution.

Modification History
Date: 16-JUL-2003
  • State: Resolved
  • Updated Resolution section

This solution has no attachment