audit-0.6.7 released
Steve Grubb
sgrubb at redhat.com
Thu Mar 10 22:26:45 UTC 2005
On Thursday 10 March 2005 17:12, Chris Wright wrote:
> I think I missed that one, but it's fixed?
That depends on the kernel you're using, your platform, and how you compile
auditd. As of audit-0.6.6, it uses the glibc-kernheaders which has a
sanitized copy of audit.h. The filesystem logging patch inserted a flag for
fs_enable in the middle of the audit_status structure instead of the end. The
user space tools & kernel, therefore, had a different idea about the layout
of any received status packets. Status packets change any of the attributes
listed in the auditctl -s command.
We should probably add a warning comment at the top of the kernel's
audit_status struct to only add data elements to the end of the structure or
you risk breaking user space.
It should be fixed in the .11 kernel David posted to the yum repo Tuesday.
However, there may be another kernel bug she's found that I haven't seen if
she's running David's latest kernel.
Hope this helps...
-Steve
More information about the Linux-audit
mailing list