[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit-0.6.7 released



On Thursday 10 March 2005 17:12, Chris Wright wrote:
> I think I missed that one, but it's fixed?

That depends on the kernel you're using, your platform, and how you compile 
auditd. As of audit-0.6.6, it uses the glibc-kernheaders which has a 
sanitized copy of audit.h. The filesystem logging patch inserted a flag for 
fs_enable in the middle of the audit_status structure instead of the end. The 
user space tools & kernel, therefore, had a different idea about the layout 
of any received status packets. Status packets change any of the attributes 
listed in the auditctl -s command.

We should probably add a warning comment at the top of the kernel's 
audit_status struct to only add data elements to the end of the structure or 
you risk breaking user space.

It should be fixed in the .11 kernel David posted to the yum repo Tuesday. 
However, there may be another kernel bug she's found that I haven't seen if 
she's running David's latest kernel.

Hope this helps...

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]