How does Enforce Audit Policy work on Solaris Server Sensor?
When Server Sensor starts up, the Server Sensor sets audit flags in the BSM file:
/etc/security/audit_event. Then when the Server Sensor shuts down, the Server Sensor restores the audit_event file to its pre-startup condition. If
EnforceAuditPolicy is enabled, any changes to the flag settings by an agent other than the sensor, after the sensor has started, will cause the sensor to reset the flags to the sensor-required value. If
EnforceAuditPolicy is disabled, any changes to these flags settings by an agent other than the sensor after the sensor has started will NOT cause the sensor to reset the flags to the sensor-required value. Regardless of the
EnforceAuditPolicy setting, the sensor will continue to initialize the audit flag values upon startup and shutdown. If you need to reset any of the sensor-related flag while the sensor is running, you will need to do so anytime the sensor starts, stops or receives a policy file update.
You can determine which flags are of interest to the sensor by observing which lines in the audit_event file have 'rs' appended to them.
If the above information does not resolve your issue, please contact IBM Security Systems Technical Support.
RealSecure Server Sensor
RealSecure Network Sensor