IBM Support

Enforce Audit Policy on Solaris Server sensor

Technote (FAQ)


How does Enforce Audit Policy work on Solaris Server sensor?


When Server Sensor starts up, the Server Sensor sets the audit flags in the BSM file /etc/security/audit_event. Then when the Server Sensor shuts down, the Server Sensor restores the audit_event file to its pre-startup condition.

If EnforceAuditPolicy is enabled, any changes to the flag settings by an agent other than the sensor, after the sensor has started, will cause the sensor to reset the flags to the sensor required value.

If EnforceAuditPolicy is disabled, any changes to these flags settings by an agent other than the sensor after the sensor has started will not cause the sensor to reset the flags to the sensor required value.

Regardless of the EnforceAuditPolicy setting, the sensor will continue to initialize the audit flag values upon startup and shutdown. If you need to reset any of the sensor related flag while the sensor is running, you will need to do so anytime the sensor starts, stops or receives a policy file update.

You can determine which flags are of interest to the sensor by observing which lines in the audit_event file have 'rs' appended to them.

Cross reference information
Segment Product Component Platform Version Edition
Security IBM RealSecure Server Sensor for Solaris Not Applicable Platform Independent Version Independent

Historical Number


Document information

More support for: IBM Security Host Protection
RealSecure Server Sensor

Software version: 7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4

Operating system(s): Solaris

Reference #: 1434392

Modified date: 02 March 2012

Translate this page: