auditd netlink headers

Friday, 29 April 2005

I'm missing what in auditd allows for continuation of a netlink packet
from the kernel.  If the payload is larger than one packet, AFAICT the
whole thing is dropped.  This could be used to hide activity I think.

Problem is this:

lib/netlink.c::adjust_reply()

        if (!NLMSG_OK(rep->nlh, (unsigned int)len))
	                return 0;

If the payload spans audit_buffers, the first packet has the netlink
header, and subsequent packets don't.  Also, the netlink header on the
first packet says the length is the full audit buffer, which could be
larger than the 1200byte + header size that audit_get_reply() looks for.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

auditd netlink headers