How does Enforce Audit Policy work on Solaris Server sensor?
When Server Sensor starts up, the Server Sensor sets the audit flags in the BSM file /etc/security/audit_event. Then when the Server Sensor shuts down, the Server Sensor restores the audit_event file to its pre-startup condition.
If EnforceAuditPolicy is enabled, any changes to the flag settings by an agent other than the sensor, after the sensor has started, will cause the sensor to reset the flags to the sensor required value.
If EnforceAuditPolicy is disabled, any changes to these flags settings by an agent other than the sensor after the sensor has started will not cause the sensor to reset the flags to the sensor required value.
Regardless of the EnforceAuditPolicy setting, the sensor will continue to initialize the audit flag values upon startup and shutdown. If you need to reset any of the sensor related flag while the sensor is running, you will need to do so anytime the sensor starts, stops or receives a policy file update.
You can determine which flags are of interest to the sensor by observing which lines in the audit_event file have 'rs' appended to them.
If the above information does not resolve your issue, contact IBM Security Systems Customer Support.
|Security||IBM RealSecure Server Sensor for Solaris||Not Applicable||Platform Independent||Version Independent|