Note: This is an archival copy of Security Sun Alert 201924 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001424.1.
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
Basic Security Module (BSM) auditing of "anonymous" FTP user(s) may not be successful. However, BSM auditing of other FTP users is not affected in any way.
Note: BSM auditing is not the same as FTP logging. Please see the manual page for in.ftpd(1M) and the "-l" option.
This issue can occur in the following releases:
Note: This issue is only possible if both of the following are configured:
When the described issue occurs, audit information of the "anonymous" FTP user(s) will not be present in the audit trail file. Please see the manual page for audit.log(4).
The exact nature of "Audit Information" depends on the classes/events which have been configured for auditing on that host. See audit_event(4) and audit_class(4).
The following command can be used to retrieve auditing information for the FTP user:
# auditreduce -u ftp | praudit
The workaround for this issue is to copy the auditing files (/etc/security/audit_*) from /etc/security to <ftp-user-home>/etc/security. (<ftp-user-home> refers to the home of the "anonymous" FTP user).
The following command should output <ftp-user-home>:
# getent passwd ftp | cut -d: -f6
The steps to implement the workaround are as follows:
a) Login as superuser (root).
b) Create a /etc/security directory under <ftp-user-home>:
# mkdir -m 755 `getent passwd ftp | cut -d: -f6`/etc/security
c) Copy the auditing files from /etc/security to <ftp-user-home>/etc/security:
# cp -p /etc/security/audit_* `getent passwd ftp | cut -d: -f6`/etc/security
After this has been done, all future FTP sessions of the "anonymous" FTP user will be audited.
If any changes are made to the auditing files (/etc/security/audit_* ) they should again be copied to <ftp-user-home>/etc/security as described above.
This issue will not be addressed in patches. The workaround provided above in "Relief/Workaround" is the final resolution.
This solution has no attachment