Patch Name: PHCO_19933 Patch Description: s700_800 10.26 reduce(1M) cumulative patch Creation Date: 99/09/24 Post Date: 99/10/12 Hardware Platforms - OS Releases: s700: 10.26 s800: 10.26 Products: N/A Filesets: BLS.BLS-CORE Automatic Reboot?: No Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHCO_19933 Symptoms: PHCO_19933: For some cases, reduce reports incorrect audit information for execve() system call. PHCO_18795: 1. The audit records for the chdir and chroot system calls show the wrong information when the relative pathnames are used. 2. The process info record is incomplete in the report. 3. The reduce command generates core dump when X server auditing is enabled. It also generate garbage information in the audit report. PHCO_17889: 10.26 audits only the first 358 system calls. Defect Description: PHCO_19933: The execve() can be used to execute an a.out file or a script file. In case of a script file, audit subsystem generates RT_SYSCALL2 type of record. But reduce does not take special action on this and so reports the information incorrectly. PHCO_18795: 1. The audit record in the report for the chdir and chroot system call is ambiguous. It should show the following information: System Call: chdir Change current directory to: Resulting current directory: System Call: chroot Change root directory to: Resulting root directory: The handling of the ".." is incorrect in absence of absolute pathname of the work/root directory. 2. The process info record is generated by the kernel for reduce consumption. This information is useless for user. 3. The reduce command generates core dump when X server auditing is enabled. It also generate garbage information in the audit report. Resolution: . Changed the format of the audit record in the report. Fixed the ".." handling. . The process info record is not reported in the report. PHCO_17889: The current 10.26 code audits only the first 358 system calls. The base 10.20 supports a total of 453 system calls including large filesystem calls. The 10.26 code has been enhanced to audit the large filesystem calls which happens to be from 359 to 371. The system calls from 372 to 453 are not supported in 10.26. Resolution: Modify reduce to handle system calls from 359 to 371. SR: 0000000000 Patch Files: /tcb/bin/reduce what(1) Output: /tcb/bin/reduce: 1999/09/16 Hewlett-Packard HP-UX 10.26 TOS [ ic5dh - DAV17 ] 99/09/15 seccmd/reduce.c, hpux, hpux_10.26, ic5dh Re vision 1.9 PATCH_10.26 (PHCO_19933) cksum(1) Output: 3484787852 90112 /tcb/bin/reduce Patch Conflicts: None Patch Dependencies: s700: 10.26: PHKL_18793 s800: 10.26: PHKL_18794 Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_17889 PHCO_18795 Equivalent Patches: None Patch Package Size: 150 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_19933 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHCO_19933.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHCO_19933. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHCO_19933.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_19933.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None