audit-0.6.7 released
Chris Wright
chrisw at osdl.org
Thu Mar 10 22:52:11 UTC 2005
* Steve Grubb (sgrubb at redhat.com) wrote:
> On Thursday 10 March 2005 17:12, Chris Wright wrote:
> > I think I missed that one, but it's fixed?
>
> That depends on the kernel you're using, your platform, and how you compile
> auditd. As of audit-0.6.6, it uses the glibc-kernheaders which has a
> sanitized copy of audit.h. The filesystem logging patch inserted a flag for
> fs_enable in the middle of the audit_status structure instead of the end. The
> user space tools & kernel, therefore, had a different idea about the layout
> of any received status packets. Status packets change any of the attributes
> listed in the auditctl -s command.
OK, I did see that, thanks.
> We should probably add a warning comment at the top of the kernel's
> audit_status struct to only add data elements to the end of the structure or
> you risk breaking user space.
Yeah, the headers need some general santitation.
> It should be fixed in the .11 kernel David posted to the yum repo Tuesday.
> However, there may be another kernel bug she's found that I haven't seen if
> she's running David's latest kernel.
>
> Hope this helps...
Yes it does.
cheers,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list