auditd netlink headers
Steve Grubb
sgrubb at redhat.com
Fri Apr 29 19:57:36 UTC 2005
On Friday 29 April 2005 15:41, Chris Wright wrote:
> We are (in theory, not sure about practice).
The code was in a function called audit_listen that was removed after 0.6.4.
> Say a exe path of > 990 bytes, or any payload of that size.
That was my concern. Paths can be 4096 bytes. (which is another reason I
wanted to see test cases with big filenames - to see what all breaks.)
> You should get two fragments, and auditd drops them both. The second
> I'm suspecting it's pure luck because NLMSG_OK() is looking a audit
> data as a netlink header.
It has to be coded differently. I'll see if I can create this problem by
making a long pathname and accessing it while doing syscall auditing.
-Steve
More information about the Linux-audit
mailing list