Patch Name: PHKL_26735 Patch Description: s700 10.26 audit cumulative patch Creation Date: 02/06/12 Post Date: 02/08/02 Hardware Platforms - OS Releases: s700: 10.26 Products: N/A Filesets: BLS.BLS-CORE OS-Core.CORE-KRN BLS.BLS-ENG-A-MAN Automatic Reboot?: Yes Status: General Release Critical: Yes PHKL_26735: ABORT Path Name: /hp-ux_patches/s700/10.X/PHKL_26735 Symptoms: PHKL_26735: Audit daemon does not behave as expected when audit record size is greater than 64K. PHKL_18793: While system call auditing is off, the changed process attributes e.g. loginuid, uid and privileges etc. are not reflected correctly in the subsequent command generated audit records. PHKL_17899: System may reach deadlock condition in auditing code PHKL_17890: 10.26 audits only the first 358 system calls. Defect Description: PHKL_26735: Audit daemon does not behave as expected when audit record size is greater than 64K. Resolution: When the record size is greater than 64K audit driver will return an error(EINVAL). Also the audit driver generates an audit event of type ET_AUDIT. This is to notify the error occurance during audit. PHKL_18793: When system call auditing is off, kernel is not generating audit records to reflect the new state of the process before genearting new audit records. Resolution Changed kernel to generate the missing audit record to reflect the changed state of the process. PHKL_17899: After allocating a big chunk of audit buffers, the audit subsystem may try to write another audit record before releasing the buffers. The second request may put the process in context to sleep to honour the space constraints enforced by the audit subsystem. The process will be deadlocked. Subsequently, all other processes will also be put to sleep waiting for audit buffer space. Resolution: Prevent the deadlock by overriding the space constraints for the second audit request. PHKL_17890: The current 10.26 code audits only the first 358 system calls. The base 10.20 supports a total of 453 system calls including large filesystem calls. The 10.26 code has been enhanced to audit the large filesystem calls which happens to be from 359 to 371. The system calls from 372 to 453 are not supported in 10.26. Resolution: Update audit_table and auditmsg.h to support the large filesystem calls. SR: 0000000000 Patch Files: /usr/conf/lib/libsec.a(audit_dev.o) /usr/conf/lib/libsec.a(sec_audit.o) /usr/include/sys/audit.h /usr/include/sys/auditmsg.h /etc/conf/h/audit.h /usr/conf/h/auditmsg.h /usr/share/man/man3.Z/authaudit.3 what(1) Output: /usr/conf/lib/libsec.a(sec_audit.o): 99/06/08 kern/sec/sec_audit.c, hpux, hpux_10.26, ic5 dc Revision 1.7 PATCH_10.26 (PHKL_18793) 99/03/09 kern/sec/audit_table, hpux, hpux_10.26, ic5 dc Revision 1.3 PATCH_10.26 (PHKL_17890) /usr/conf/lib/libsec.a(audit_dev.o): 02/04/16 kern/sec/audit_dev.c, hpux, hpux_10.26, ic5 gs Revision 1.8 PATCH_10.26 (PHKL_26735) /usr/include/sys/audit.h: $Revision: 1.5 kern/h/audit.h, hpux, hpux_10.26, ic5 bn $ $Date: 99/03/10 14:05:14 $ Hewlett-Pack ard Co. */ 99/03/10 kern/h/audit.h, hpux, hpux_10.26, ic5bn Rev ision 1.5 PATCH_10.26 (PHKL_17899) */ /usr/include/sys/auditmsg.h: $Revision: 1.3 kern/h/auditmsg.h, hpux, hpux_10.26, ic5bn $ $Date: 99/03/09 16:08:54 $ Hewlett-P ackard Co. */ $Revision: Hewlett-Packard ISSL 1.6 kern/h/auditmsg. h, sysaudit, vvos_davis, davis7 $ $Date: 96/ 12/05 07:42:32 $ */ 99/03/09 kern/h/auditmsg.h, hpux, hpux_10.26, ic5bn Revision 1.3 PATCH_10.26 (PHKL_17890) */ /etc/conf/h/audit.h: $Revision: 1.5 kern/h/audit.h, hpux, hpux_10.26, ic5 bn $ $Date: 99/03/10 14:05:14 $ Hewlett-Pack ard Co. */ 99/03/10 kern/h/audit.h, hpux, hpux_10.26, ic5bn Rev ision 1.5 PATCH_10.26 (PHKL_17899) */ /usr/conf/h/auditmsg.h: $Revision: 1.3 kern/h/auditmsg.h, hpux, hpux_10.26, ic5bn $ $Date: 99/03/09 16:08:54 $ Hewlett-P ackard Co. */ $Revision: Hewlett-Packard ISSL 1.6 kern/h/auditmsg. h, sysaudit, vvos_davis, davis7 $ $Date: 96/ 12/05 07:42:32 $ */ 99/03/09 kern/h/auditmsg.h, hpux, hpux_10.26, ic5bn Revision 1.3 PATCH_10.26 (PHKL_17890) */ /usr/share/man/man3.Z/authaudit.3: None cksum(1) Output: 50398225 22388 /usr/conf/lib/libsec.a(sec_audit.o) 78355673 16612 /usr/conf/lib/libsec.a(audit_dev.o) 904430699 55723 /usr/include/sys/audit.h 4252923120 25519 /usr/include/sys/auditmsg.h 904430699 55723 /etc/conf/h/audit.h 4252923120 25519 /usr/conf/h/auditmsg.h 2658750108 4181 /usr/share/man/man3.Z/authaudit.3 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHKL_17890 PHKL_17899 PHKL_18793 Equivalent Patches: PHKL_26745: s800: 10.26 Patch Package Size: 270 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHKL_26735 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHKL_26735.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHKL_26735. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHKL_26735.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHKL_26735.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None