Note: This is an archival copy of Security Sun Alert 201924 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001424.1.
Article ID : 1001424.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-07-15
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Anonymous FTP Sessions are not Audited When the Basic Security Module (BSM) is Used

Category
Security

Release Phase
Resolved

Product
Solaris 2.5.1
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4487520

Date of Workaround Release
09-OCT-2001

Date of Resolved Release
16-JUL-2003

Impact

Basic Security Module (BSM) auditing of "anonymous" FTP user(s) may not be successful. However, BSM auditing of other FTP users is not affected in any way.

Note: BSM auditing is not the same as FTP logging. Please see the manual page for in.ftpd(1M) and the "-l" option.


Contributing Factors

This issue can occur in the following releases:

SPARC

  • Solaris 2.5.1
  • Solaris 2.6
  • Solaris 7
  • Solaris 8

Intel

  • Solaris 2.5.1
  • Solaris 2.6
  • Solaris 7
  • Solaris 8

Note: This issue is only possible if both of the following are configured:

  1. The Basic Security Module (BSM) has been enabled. (See bsmconv(1M) for more information)
  2. Anonymous FTP access is allowed. (See in.ftpd(1M) for more information)

Symptoms

When the described issue occurs, audit information of the "anonymous" FTP user(s) will not be present in the audit trail file. Please see the manual page for audit.log(4).

The exact nature of "Audit Information" depends on the classes/events which have been configured for auditing on that host. See audit_event(4) and audit_class(4).

The following command can be used to retrieve auditing information for the FTP user: 

	# auditreduce -u ftp  | praudit


Workaround

The workaround for this issue is to copy the auditing files (/etc/security/audit_*) from /etc/security to <ftp-user-home>/etc/security. (<ftp-user-home> refers to the home of the "anonymous" FTP user).

The following command should output <ftp-user-home>: 

	# getent passwd ftp | cut -d: -f6

The steps to implement the workaround are as follows:

a) Login as superuser (root).

b) Create a /etc/security directory under <ftp-user-home>: 

	# mkdir -m 755 `getent passwd ftp | cut -d: -f6`/etc/security

c) Copy the auditing files from /etc/security to <ftp-user-home>/etc/security: 

	# cp -p /etc/security/audit_* `getent passwd ftp | cut -d: -f6`/etc/security

After this has been done, all future FTP sessions of the "anonymous" FTP user will be audited.

If any changes are made to the auditing files (/etc/security/audit_* ) they should again be copied to <ftp-user-home>/etc/security as described above. 



Resolution



This issue will not be addressed in patches. The workaround provided above in "Relief/Workaround" is the final resolution.








Modification History

Date: 16-JUL-2003


    

  • 
State: Resolved

    • 

  • 
Updated Resolution section

    • 






























































Attachments
This solution has no attachment