Re: auditd netlink headers
* Steve Grubb (sgrubb(a)redhat.com) wrote:
On Friday 29 April 2005 15:26, Chris Wright wrote:
> I'm missing what in auditd allows for continuation of a netlink packet
> from the kernel.
Nothing does. This was one of my concerns back in December and I even started
putting code in place to allow multiple packets. It was discussed and I was
told we aren't sending continuations.
We are (in theory, not sure about practice). Say a exe path of > 990
bytes, or any payload of that size. Kernel has this interesting notion of
fragmentation. I'm not very fond of it.
Show me how to produce the problem and I'll fix it.
Do a audit_log_format("%s", buffer that's > 998 bytes) in the kernel.
You should get two fragments, and auditd drops them both. The second
I'm suspecting it's pure luck because NLMSG_OK() is looking a audit
data as a netlink header. That data could happen to have a value in the
byte stream that corresponds to nlmsg_len <= 1200, and get printed, but
the first half will certainly be dropped.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net