Patch Name: PHSS_10372 Patch Description: s700_800 10.09-10.16 VirtualVault Audit Subsystem Patch Creation Date: 97/03/24 Post Date: 97/04/22 Hardware Platforms - OS Releases: s700: 10.09 10.16 s800: 10.09 10.16 Products: VirtualVault Transaction Server A.01.00 International Release VirtualVault Transaction Server A.01.00 US/Canada Release VirtualVault Transaction Server A.01.01 International Release VirtualVault Transaction Server A.01.01 US/Canada Release Filesets: VaultTS.CMW-ADMIN-RUN,A.01.00,A.01.01 VaultTS.VAULT-CORE-CMN,A.01.00,A.01.01 Automatic Reboot?: No Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHSS_10372 Symptoms: PHSS_10372: This patch replaces the previous audit patch, PHSS_8929. Under certain circumstances, reduce and alarmd can terminate abnormally when processing large audit records. PHSS_8929: 1. Specific pattern searches fail to match when alarm is triggered. 2. Audit account not successfully unlocked during install 3. Audit data filling root file system in multi-user mode 4. Two crontab jobs created after setting audit rollover w/admin interface. 5. Audit rollover cron job fails if output file not writable 6. Alarms do not trigger commands or mail Defect Description: PHSS_10372: 1. Large audit records submitted by privileged prgrams can result in reduce reporting a potential compression buffer overflow before abnormally terminating. The compression buffer is dynamically allocated and not in the process's stack. Sites which have the earlier Audit Subsystem Patch, PHSS_8929, should replace PHSS_8929 with PHSS_10372. PHSS_8929: 1. Patterns (for alarm filtering) are not being recognized when an alarm is triggered and the notification action has been set to 'Log to file'. This effectively means that nothing gets logged to the file. 2. Preinstall not unlocking Audit account. 3. When auditing is started from the administration screen, the audit daemon does not direct audit data to the multi-user audit directories. 4. Default audit crontab file and crontab file created with admin interface are being created with different sensitivity levels. 5. Audit rollover cron job fails if output file not writable. 6. If a user specifies an incorrectly formatted command to be executed as part of the alarm protection of notifi- cation actions, no warning is given to the user. SR: 4701337857 4701337691 4701337709 4701337717 4701337725 4701349159 Patch Files: /opt/vaultTS/root/tcb/bin/alarmd /opt/vaultTS/root/tcb/bin/reduce /var/opt/vaultTS/inside/vault/include/alarm-def.html /var/opt/vaultTS/inside/vault/bin/alarm-create /var/opt/vaultTS/inside/vault/bin/alarm-mod /var/opt/vaultTS/inside/vault/bin/aud-param /var/opt/vaultTS/inside/vault/bin/aud-proc /etc/auth/system/files.fcdb/25.patches/PHSS10372.fcdb what(1) Output: /opt/vaultTS/root/tcb/bin/alarmd: None /opt/vaultTS/root/tcb/bin/reduce: None /var/opt/vaultTS/inside/vault/include/alarm-def.html: None /var/opt/vaultTS/inside/vault/bin/alarm-create: None /var/opt/vaultTS/inside/vault/bin/alarm-mod: None /var/opt/vaultTS/inside/vault/bin/aud-param: None /var/opt/vaultTS/inside/vault/bin/aud-proc: None /etc/auth/system/files.fcdb/25.patches/PHSS10372.fcdb: None cksum(1) Output: 566838922 238660 /opt/vaultTS/root/tcb/bin/alarmd 1890481785 139503 /opt/vaultTS/root/tcb/bin/reduce 2538515887 16863 /var/opt/vaultTS/inside/vault/include/ alarm-def.html 2085498754 151356 /var/opt/vaultTS/inside/vault/bin/ alarm-create 3647185306 163204 /var/opt/vaultTS/inside/vault/bin/ alarm-mod 3462161269 206780 /var/opt/vaultTS/inside/vault/bin/ aud-param 38458955 177856 /var/opt/vaultTS/inside/vault/bin/aud-proc 1928397358 469 /etc/auth/system/files.fcdb/25.patches/ PHSS10372.fcdb Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_8929 Equivalent Patches: None Patch Package Size: 1140 Kbytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_10372 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHSS_10372.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHSS_10372.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHSS_10372. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHSS_10372.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_10372.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Disregard the above installation instructions. They are automatically generated and are not specific to the VirtualVault environment. The correct procedure for installing the Audit Subsystem Patch (PHSS_10372) is as follows : 1. Backup your system before installing a patch. 2. Login as root; open an xterm window at the SYSTEM level. 3. Copy the patch to the /patches directory. Create /patches using: mkdir -p /patches 4. Move to the /patches directory and unshar the patch: cd /patches sh PHSS_10372 5. Run swinstall to install the patch: swinstall -x match_target=true -s /patches/PHSS_10372.depot Although not required, this patch should be installed in conjunction with the following audit-related patch: * PHCO_10477 alarmd using too much CPU time. (700 or 800 CMW release 10.09) or * PHCO_10478 alarmd using too much CPU time. (700 or 800 CMW release 10.16)