Note: This is an archival copy of Security Sun Alert 201042 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000776.1.
Article ID : 1000776.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2004-01-21
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Solaris 9 patches 114332-08 and 114929-06 are WITHDRAWN - Patches Disable the Auditing Functionality on Basic Security Module (BSM) Enabled Systems

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
4975802

Date of Resolved Release
21-APR-2004

Impact

Solaris 9 systems with Basic Security Module (BSM) enabled (see bsmconv(1M)) and either patch 114332-08 for SPARC or 114929-06 for x86 installed will not have BSM/auditing functionality present after the system is rebooted.

Solaris 9 patches 114332-08 and 114929-06 are WITHDRAWN and are no longer available on SunSolve.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 with patch 114332-08 and without patch 114332-10*

x86 Platform

  • Solaris 9 with patch 114929-06 and without patch 112234-12

Notes:

  1. Solaris 2.6 will not be evaluated regarding the potential impact of the issue described in this Sun Alert.
  2. Solaris 7 and 8 are not affected by this issue.
  3. This issue only affects systems which have BSM (see bsmconv(1M)) enabled.
  4. *Patch 114332-09 has been incorporated into 114332-10 (respin).

A system has BSM enabled if the following "c2audit" line is present in the "/etc/system" file: 

    $ grep c2audit /etc/system
set c2audit:audit_load = 1

Symptoms

When the system is rebooted the following messages will be displayed on the console during boot: 

    /etc/rc2.d/S99audit: /etc/security/audit_startup: cannot execute

Solaris 9 BSM enabled systems which have been rebooted will find that BSM/auditing has not been enabled correctly on the system. The auditconfig(1M) command will report the discrepancy, as in this example: 

    # auditconfig -chkaconf
non-attributable event mismatch audit_control(lo) kernel(no)
    # auditconfig -chkconf
AUE_EXIT(1): CLASS MISMATCH: runtime class (no) != configured class (pc)
AUE_FORK(2): CLASS MISMATCH: runtime class (no) != configured class (pc)
AUE_OPEN(3): CLASS MISMATCH: runtime class (no) != configured class (fa)
AUE_CREAT(4): CLASS MISMATCH: runtime class (no) != configured class (fc)
AUE_LINK(5): CLASS MISMATCH: runtime class (no) != configured class (fc)
...

Workaround

To work around the described issue, BSM/auditing functionality can be restored by running the following commands executed as the "root" user: 

    # /usr/bin/chmod 0744 /etc/security/audit_startup
# /etc/init.d/audit stop
# /etc/init.d/audit start

This will restore BSM/auditing functionality on BSM enabled systems.


Resolution

This issue is addressed in the following release:

SPARC Platform

  • Solaris 9 with patch 114332-10 or later

x86 Platform

  • Solaris 9 with patch 112234-12 or later


Modification History
Date: 20-APR-2004
  • Update Contributing Factors and Resolution sections for x86 patch and T-Patch for SPARC

Date: 21-APR-2004
  • Update Contributing Factors and Resolution sections for SPARC patch release
  • Re-release as Resolved


References

112234-12
114332-10




Attachments
This solution has no attachment