Re: Trouble changing BSM/audit options without reboot

• Previous message: Peter L. Ashford: "Announcing Solaris Security Paper update"
• Next in thread: Darren Moffat: "Re: Trouble changing BSM/audit options without reboot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Anupam" <frj780jdy85533001@sneakemail.com>
To: <focus-sun@securityfocus.com>
Date: Tue, 5 Feb 2002 20:36:09 -0500

> I am trying to implement auditing (BSM) on a Solaris 7 system. When I
change
> audit settings in either /etc/security/audit_control or
> /etc/security/audit_user is there anyway to "reload" the configurations to
> the audit daemon without rebooting?

Based on Pg.12 of "SunSHIELD Basic Security Module Guide", available from
http://docs.sun.com
"Note - The audit -s command does not change the preselection mask for
existing processes. Use autoconfig, setaudit (see the getuid(2) man page),
or auditon for existing processes."

Looks like I just answered my own post.

Thus the only way to have modified audit flags apply retroactively to
previous processes is:
- Write own code to use "setaudit" system call for all previous processes.
- Reboot machine, and apply changes to all processes once system is started
up.

I guess the next follow-up question:
- Anyone has existing code which goes through the process list and changes
the audit options? [ Search on google turned up only man pages :-) ]

- Anupam

FWIW: Good references on BSM:

- "Auditing in the Solaris [tm] 8 Operating Environment" by Alex
Noordergraaf and William Osser
http://www.sun.com/blueprints/0201/auditing_config.pdf

- "SunSHIELD Basic Security Module Guide" for Solaris 7
http://docs.sun.com/ab2/coll.47.8/SHIELD/@Ab2TocView?Ab2Lang=C&Ab2Enc=iso-88
59-1

- "Solaris BSM Auditing" - By Darren Moffat
http://www.securityfocus.com/infocus/1362

• Previous message: Peter L. Ashford: "Announcing Solaris Security Paper update"
• Next in thread: Darren Moffat: "Re: Trouble changing BSM/audit options without reboot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: IDS Error - VP Notify ... I've just had the same problem, but with a solaris ... Solaris patch information for the IBM Informix Dynamic Server ... Location of Shared Memory ... Configuring the Operating System Audit Subsystem: ... (comp.databases.informix) Solaris 10 BSM Auditing help ... I am new to Solaris 10 and I am seeking some assistance with the ... following auditing configuration in Solaris 10. ... I would like to know if it is possible to edit the audit classes ... (comp.security.unix) Solaris 10 BSM Auditing help ... I am new to Solaris 10 and I am seeking some assistance with the ... following auditing configuration in Solaris 10. ... I would like to know if it is possible to edit the audit classes ... (comp.unix.solaris) Solaris 10 BSM Auditing help ... I am new to Solaris 10 and I am seeking some assistance with the ... following auditing configuration in Solaris 10. ... I would like to know if it is possible to edit the audit classes ... (comp.sys.sun.admin) Re: auditing ... > yes, I restarted audit -s. ... the Solaris Audit documentation at http://docs.sun.com provides ... Then after becoming root, confirm that the audit preselection mask is set ... With the 'ex' flag correctly set, ... (comp.unix.solaris)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint