Patch Name: PHKL_18793

Patch Description: s700 10.26 audit cumulative patch

Creation Date: 99/09/03

Post Date:  99/09/10

Hardware Platforms - OS Releases:
	s700: 10.26

Products: N/A

Filesets:
	BLS.BLS-CORE OS-Core.CORE-KRN

Automatic Reboot?: Yes

Status: General Superseded

Critical: No

Path Name: /hp-ux_patches/s700/10.X/PHKL_18793

Symptoms:
	PHKL_18793:
	While system call auditing is off, the changed process
	attributes e.g. loginuid, uid and privileges etc. are
	not reflected correctly in the subsequent command
	generated audit records.

	PHKL_17899:
	System may reach deadlock condition in auditing code

	PHKL_17890:
	10.26 audits only the first 358 system calls.

Defect Description:
	PHKL_18793:
	When system call auditing is off, kernel is not
	generating audit records to reflect the new state of the
	process before genearting new audit records.

	Resolution
	  Changed kernel to generate the missing audit record to
	  reflect the changed state of the process.

	PHKL_17899:
	After allocating a big chunk of audit buffers, the audit
	subsystem may try to write another audit record before
	releasing the buffers.  The second request may put the
	process in context to sleep to honour the space constraints
	enforced by the audit subsystem. The process will
	be deadlocked.  Subsequently, all other processes will
	also be put to sleep waiting for audit buffer space.

	Resolution:
	Prevent the deadlock by overriding the space constraints
	for the second audit request.

	PHKL_17890:
	The current 10.26 code audits only the first 358 system
	calls. The base 10.20 supports a total of 453 system calls
	including large filesystem calls.  The 10.26 code has been
	enhanced to audit the large filesystem calls which happens
	to be from 359 to 371.  The system calls from 372 to 453
	are not supported in 10.26.

	Resolution:
	Update audit_table and auditmsg.h to support the large
	filesystem calls.

SR:
	0000000000

Patch Files:
	/usr/conf/lib/libsec.a(audit_dev.o)
	/usr/conf/lib/libsec.a(sec_audit.o)
	/usr/include/sys/audit.h
	/usr/include/sys/auditmsg.h
	/etc/conf/h/audit.h
	/usr/conf/h/auditmsg.h

what(1) Output:
	/usr/conf/lib/libsec.a(sec_audit.o):
		99/06/08 kern/sec/sec_audit.c, hpux, hpux_10.26, ic5
			dc Revision 1.7 PATCH_10.26 (PHKL_18793)
		99/03/09 kern/sec/audit_table, hpux, hpux_10.26, ic5
			dc Revision 1.3 PATCH_10.26 (PHKL_17890)
	/usr/conf/lib/libsec.a(audit_dev.o):
		99/08/30 kern/sec/audit_dev.c, hpux, hpux_10.26, ic5
			dc Revision 1.7 PATCH_10.26 (PHKL_18793)
	/usr/include/sys/audit.h:
		$Revision: 1.5 kern/h/audit.h, hpux, hpux_10.26, ic5
			bn $ $Date: 99/03/10 14:05:14 $ Hewlett-Pack
			ard Co. */
		99/03/10 kern/h/audit.h, hpux, hpux_10.26, ic5bn Rev
			ision 1.5 PATCH_10.26 (PHKL_17899) */
	/usr/include/sys/auditmsg.h:
		$Revision: 1.3 kern/h/auditmsg.h, hpux, hpux_10.26, 
			ic5bn $ $Date: 99/03/09 16:08:54 $ Hewlett-P
			ackard Co. */
		$Revision: Hewlett-Packard ISSL 1.6 kern/h/auditmsg.
			h, sysaudit, vvos_davis, davis7 $ $Date: 96/
			12/05 07:42:32 $ */
		99/03/09 kern/h/auditmsg.h, hpux, hpux_10.26, ic5bn 
			Revision 1.3 PATCH_10.26 (PHKL_17890) */
	/etc/conf/h/audit.h:
		$Revision: 1.5 kern/h/audit.h, hpux, hpux_10.26, ic5
			bn $ $Date: 99/03/10 14:05:14 $ Hewlett-Pack
			ard Co. */
		99/03/10 kern/h/audit.h, hpux, hpux_10.26, ic5bn Rev
			ision 1.5 PATCH_10.26 (PHKL_17899) */
	/usr/conf/h/auditmsg.h:
		$Revision: 1.3 kern/h/auditmsg.h, hpux, hpux_10.26, 
			ic5bn $ $Date: 99/03/09 16:08:54 $ Hewlett-P
			ackard Co. */
		$Revision: Hewlett-Packard ISSL 1.6 kern/h/auditmsg.
			h, sysaudit, vvos_davis, davis7 $ $Date: 96/
			12/05 07:42:32 $ */
		99/03/09 kern/h/auditmsg.h, hpux, hpux_10.26, ic5bn 
			Revision 1.3 PATCH_10.26 (PHKL_17890) */

cksum(1) Output:
	50398225 22388 /usr/conf/lib/libsec.a(sec_audit.o)
	711426692 15936 /usr/conf/lib/libsec.a(audit_dev.o)
	904430699 55723 /usr/include/sys/audit.h
	4252923120 25519 /usr/include/sys/auditmsg.h
	904430699 55723 /etc/conf/h/audit.h
	4252923120 25519 /usr/conf/h/auditmsg.h

Patch Conflicts: None

Patch Dependencies: None

Hardware Dependencies: None

Other Dependencies: None

Supersedes:
	PHKL_17890 PHKL_17899

Equivalent Patches:
	PHKL_18794:
	s800: 10.26

Patch Package Size: 270 KBytes

Installation Instructions:
	Please review all instructions and the Hewlett-Packard
	SupportLine User Guide or your Hewlett-Packard support terms
	and conditions for precautions, scope of license,
	restrictions, and, limitation of liability and warranties,
	before installing this patch.
	------------------------------------------------------------
	1. Back up your system before installing a patch.

	2. Login as root.

	3. Copy the patch to the /tmp directory.

	4. Move to the /tmp directory and unshar the patch:

		cd /tmp
		sh PHKL_18793

	5a. For a standalone system, run swinstall to install the
	    patch:

		swinstall -x autoreboot=true -x match_target=true \
			-s /tmp/PHKL_18793.depot

	By default swinstall will archive the original software in 
	/var/adm/sw/patch/PHKL_18793.  If you do not wish to retain a
	copy of the original software, you can create an empty file
	named /var/adm/sw/patch/PATCH_NOSAVE. 

	WARNING: If this file exists when a patch is installed, the 
	         patch cannot be deinstalled.  Please be careful
		 when using this feature.

	It is recommended that you move the PHKL_18793.text file to 
	/var/adm/sw/patch for future reference.

	To put this patch on a magnetic tape and install from the
	tape drive, use the command:

		dd if=/tmp/PHKL_18793.depot of=/dev/rmt/0m bs=2k

Special Installation Instructions: None