auditd netlink headers
Chris Wright
chrisw at osdl.org
Fri Apr 29 19:41:04 UTC 2005
* Steve Grubb (sgrubb at redhat.com) wrote:
> On Friday 29 April 2005 15:26, Chris Wright wrote:
> > I'm missing what in auditd allows for continuation of a netlink packet
> > from the kernel.
>
> Nothing does. This was one of my concerns back in December and I even started
> putting code in place to allow multiple packets. It was discussed and I was
> told we aren't sending continuations.
We are (in theory, not sure about practice). Say a exe path of > 990
bytes, or any payload of that size. Kernel has this interesting notion of
fragmentation. I'm not very fond of it.
> Show me how to produce the problem and I'll fix it.
Do a audit_log_format("%s", buffer that's > 998 bytes) in the kernel.
You should get two fragments, and auditd drops them both. The second
I'm suspecting it's pure luck because NLMSG_OK() is looking a audit
data as a netlink header. That data could happen to have a value in the
byte stream that corresponds to nlmsg_len <= 1200, and get printed, but
the first half will certainly be dropped.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list