Re: BSM audit service

From: Darren Moffat (Darren.Moffat@eng.sun.com)
Date: 12/03/01 

Date: Mon, 3 Dec 2001 11:33:28 -0800 (PST)
From: Darren Moffat <Darren.Moffat@eng.sun.com>
To: focus-sun@security-focus.com, frijsteve@optusnet.com.au

>I am wondering if there are any issues with auditsvc and BSM.

Other than it was never intended to be used in the way you are using it,
I'm not ware of any.

>The platforms involved are solaris 7 & 8 running SPARC boxes.
>
>We have a program that calls auditsvc to redirect BSM records to a UNIX
>socket.
>We then read off that socket to retrieve the audit data and then we proceed
>to parse the information for anything of interest.

A good idea but I don't think it is supported.

>Running on Solaris 8 we get the auditsvc call return with a broken pipe and a
>message that there is not enough space (I assume this means disk space).
>However, there is plenty of disk space on the audit directory (only 2% being
>used). Once this occurs the whole server locks up and the only thing we can
>do is reboot.

Exactly what is errno set to when auditsvc returns ? You have desribed
two errno values, errno can only be set to one thing at a time.

broken pipe suggests EPIPE
not enough space suggests one of EFBIG, ENOSPC.

What did you pass into auditsvc as the limit value ?

When you get this error what does your code do next ?

What user is your code running as ? How/when is it started ? Other than
auditsvc what other BSM audit APIs do you call ?

I assume you have disabled the startup of auditd. Also what do you
have in /etc/security/audit_startup, in particular do you have
/usr/sbin/auditconfig -setpolicy +cnt 

--
Darren J Moffat