Enforce Audit Policy on Solaris Server sensor

Technote (FAQ)


Question

How does Enforce Audit Policy work on Solaris Server sensor?

Answer


When Server Sensor starts up, the Server Sensor sets the audit flags in the BSM file /etc/security/audit_event. Then when the Server Sensor shuts down, the Server Sensor restores the audit_event file to its pre-startup condition.

If EnforceAuditPolicy is enabled, any changes to the flag settings by an agent other than the sensor, after the sensor has started, will cause the sensor to reset the flags to the sensor required value.

If EnforceAuditPolicy is disabled, any changes to these flags settings by an agent other than the sensor after the sensor has started will not cause the sensor to reset the flags to the sensor required value.

Regardless of the EnforceAuditPolicy setting, the sensor will continue to initialize the audit flag values upon startup and shutdown. If you need to reset any of the sensor related flag while the sensor is running, you will need to do so anytime the sensor starts, stops or receives a policy file update.

You can determine which flags are of interest to the sensor by observing which lines in the audit_event file have 'rs' appended to them.



If the above information does not resolve your issue, contact IBM Security Systems Customer Support.


Cross reference information
Segment Product Component Platform Version Edition
Security IBM RealSecure Server Sensor for Solaris Not Applicable Platform Independent Version Independent

Historical Number

884

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Host Protection
RealSecure Server Sensor

Software version:

7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4

Operating system(s):

Solaris

Reference #:

1434392

Modified date:

2012-03-02

Translate my page

Machine Translation

Content navigation