[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit-0.6.7 released



* Steve Grubb (sgrubb redhat com) wrote:
> On Thursday 10 March 2005 17:12, Chris Wright wrote:
> > I think I missed that one, but it's fixed?
> 
> That depends on the kernel you're using, your platform, and how you compile 
> auditd. As of audit-0.6.6, it uses the glibc-kernheaders which has a 
> sanitized copy of audit.h. The filesystem logging patch inserted a flag for 
> fs_enable in the middle of the audit_status structure instead of the end. The 
> user space tools & kernel, therefore, had a different idea about the layout 
> of any received status packets. Status packets change any of the attributes 
> listed in the auditctl -s command.

OK, I did see that, thanks.

> We should probably add a warning comment at the top of the kernel's 
> audit_status struct to only add data elements to the end of the structure or 
> you risk breaking user space.

Yeah, the headers need some general santitation.

> It should be fixed in the .11 kernel David posted to the yum repo Tuesday. 
> However, there may be another kernel bug she's found that I haven't seen if 
> she's running David's latest kernel.
> 
> Hope this helps...

Yes it does.

cheers,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]