Enabling RT-FIM driver on AIX can cause system crashes

Article:TECH186580  |  Created: 2012-04-16  |  Updated: 2014-10-03  |  Article URL http://www.symantec.com/docs/TECH186580
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



Enabling RT-FIM on a system on which auditing has been enabled can cause a system crash at boot. This can occur after installing SCSP with RT-FIM enabled or after having enabled RT-FIM on a prior installation. 

NOTE: This issue can occur at other times as well.  It is recommend to disabled RT-FIM until the issue is address in SCSP 5.2.8 MP4. 


Environment



This is a known issue that has been experienced on the following SCSP versions:

agent-aix.bin  5.2.8.164
agent-aix.bin  5.2.8.172
agent-aix.bin  5.2.8.193

 


Solution



 

This issue has been resolved in SCSP Agent 5.2.8 MP4.

 
Workaround: The immediate solution is to disable RT-FIM altogether if AIX is running with one of the versions listed above.  
 
There are 2 ways to disable RT-FIM:
1.     During installation there is an option to Enable/Disable Real-Time File Integrity Monitoring. The default is Enabled but the user can change that setting right at the beginning of installation.
2.     Post-installation via the command:
        su – sisips –c "./sisipsconfig.sh –rtfim off"

The 2nd method requires a reboot to completely remove the driver from the system.




Article URL http://www.symantec.com/docs/TECH186580


Terms of use for this information are found in Legal Notices