Note: This is an archival copy of Security Sun Alert 201310 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000987.1.
Article ID : 1000987.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-12-17
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Solaris 9 sshd(1M) Patches May Cause Incorrect Audit Data to be Logged

Category
Security

Category
Availability

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
6612944

Date of Resolved Release
18-DEC-2007

Impact

Solaris 9 systems with Solaris Auditing (see bsmconv(1M)) enabled and with the sshd(1M) patches installed as listed in section 2 below will contain audit records with an incorrect audit-ID. In addition, incomplete audit classes may be selected for users logging in via ssh(1).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 with patches 113273-11 through 113273-16 and without patch 122300-17

x86 Platform

  • Solaris 9 with patches 114858-09 through 114858-13 and without patch 122301-17

Notes:

  1. This issue does not affect Solaris 10.
  2. Solaris 8 does not ship with SSH and thus is not impacted by this issue.
  3. This issue only affects systems which have Solaris Auditing enabled (see bsmconv(1M)).

To determine if Solaris Auditing is enabled on a system, a command such as the following can be used to search the "/etc/system" file for a reference to the "c2audit" kernel module:

    $ grep c2audit /etc/system
    set c2audit:audit_load = 1

Symptoms

After logging in to a Solaris 9 system using ssh(1) as a non-root user, the audit-ID of the login shell process will be zero. A command such as the following can be run as either 'root' user or as a user assigned the 'Audit Control' execution profile (see rbac(5)) to determine the audit-ID of a running process on the system:

    # auditconfig -getpinfo <process ID> | grep 'audit id'
    audit id = root(0)

If the above audit-ID output is seen for a process ID of a non-root user who has logged in via ssh(1), then this issue has occurred on the system.


Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 122300-17 or later

x86 Platform

  • Solaris 9 with patch 122301-17 or later

Note: The resolution for this issue applies to future audit records. The patches do not modify existing audit records already written to the audit.log(4).

For more information on Security Sun Alerts, see Sun 1009886.1.



References

122300-17
122301-17




Attachments
This solution has no attachment