Security Agent for UNIX p75p3

  • 7018812
  • 18-Apr-2017
  • 02-May-2017

Environment

Sentinel security agent for UNIX

Situation

In Solaris and Linux, the following event fields and not populated appropriately:

  • SessionID
  • EffectiveUserName
  • RealUserName

The alert_agent process crashes when it parses a spooled Sentinel event that has an empty Message field due to which it stopped sending events to Sentinel. 

Resolution

Security Agent for UNIX p75p3 provides the following software fixes:

  • Security Agent for UNIX now populates the RealUserName event field appropriately. 
  • Security Agent for UNIX now populates the EffectiveUserName event field to capture the actual user name that modified the file. 
  • In Solaris, Security Agent for UNIX now populates the SessionID event field.
  • The alert_agent process now does not crash when parsing spooled Sentinel event that has an empty Message field.

Cause

In Solaris, when a user switches between multiple accounts, Security Agent for UNIX does not populate all the user names in BSM events.

In Solaris and Linux, when a file is modified by a non-root user, the Sentinel event indicates that the file was modified by a  root user. Security Agent for UNIX does not populate the EffectiveUserName event field with the actual user name.

Security Agent for UNIX does not populate the SessionID event field.

The alert_agent process stopped sending events to Sentinel if the spooled Sentinel event has an empty Message field.