Re: Trouble changing BSM/audit options without reboot

From: Anupam (frj780jdy85533001@sneakemail.com)
Date: 02/06/02


From: "Anupam" <frj780jdy85533001@sneakemail.com>
To: <focus-sun@securityfocus.com>
Date: Tue, 5 Feb 2002 20:36:09 -0500


> I am trying to implement auditing (BSM) on a Solaris 7 system. When I
change
> audit settings in either /etc/security/audit_control or
> /etc/security/audit_user is there anyway to "reload" the configurations to
> the audit daemon without rebooting?

Based on Pg.12 of "SunSHIELD Basic Security Module Guide", available from
http://docs.sun.com
"Note - The audit -s command does not change the preselection mask for
existing processes. Use autoconfig, setaudit (see the getuid(2) man page),
or auditon for existing processes."

Looks like I just answered my own post.

Thus the only way to have modified audit flags apply retroactively to
previous processes is:
- Write own code to use "setaudit" system call for all previous processes.
- Reboot machine, and apply changes to all processes once system is started
up.

I guess the next follow-up question:
- Anyone has existing code which goes through the process list and changes
the audit options? [ Search on google turned up only man pages :-) ]

- Anupam

FWIW: Good references on BSM:

- "Auditing in the Solaris [tm] 8 Operating Environment" by Alex
Noordergraaf and William Osser
http://www.sun.com/blueprints/0201/auditing_config.pdf

- "SunSHIELD Basic Security Module Guide" for Solaris 7
http://docs.sun.com/ab2/coll.47.8/SHIELD/@Ab2TocView?Ab2Lang=C&Ab2Enc=iso-88
59-1

- "Solaris BSM Auditing" - By Darren Moffat
http://www.securityfocus.com/infocus/1362