Patch Name: PHKL_28446 Patch Description: s700_800 11.11 audit subsystem cumulative patch Creation Date: 03/02/26 Post Date: 03/03/21 Hardware Platforms - OS Releases: s700: 11.11 s800: 11.11 Products: N/A Filesets: OS-Core.CORE-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP ProgSupport.C-INC,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP OS-Core.CORE2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP OS-Core.CORE2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP Automatic Reboot?: Yes Status: General Release Critical: Yes PHKL_28446: CORRUPTION PHKL_25351: PANIC Category Tags: defect_repair enhancement general_release critical panic corruption manual_dependencies Path Name: /hp-ux_patches/s700_800/11.X/PHKL_28446 Symptoms: PHKL_28446: ( SR:8606289486 CR:JAGae53417 ) audisp(1M) aborts with error message "bad audit record body" on certain audit trails. PHKL_27753: ( SR:8606274955 CR:JAGae39032 ) In trusted mode, ttrace(2) system call does not generate audit records. PHKL_25351: ( SR:8606214393 CR:JAGad83584 ) A panic due to a data page fault may occur when the acl(2) system call is being audited. Stack trace: panic+0x6c report_trap_or_int_and_panic+0x94 trap+0xed4 nokgdb+0x8 kmem_free2+0x24 rel_aud_mem+0x12c save_aud_data+0x10c0 syscall+0xb08 $syscallrtn+0x0 PHKL_24505: ( SR:8606204442 CR:JAGad73624 ) Enhancement to provide kernel auditing support for socket information greater than 16 bytes. IPv6 socket related system calls and unix sockets longer than 16 bytes can take advantage of this feature. Defect Description: PHKL_28446: ( SR:8606289486 CR:JAGae53417 ) Audit system calculates the length field incorrectly sometimes. Resolution: Audit system now calculates the length field correctly. PHKL_27753: ( SR:8606274955 CR:JAGae39032 ) The kernel audit subsystem does not have access to the ttrace(2) system call parameter information. Resolution: The kernel audit subsystem now has access to the ttrace(2) system call parameter information. PHKL_25351: ( SR:8606214393 CR:JAGad83584 ) The allocation and deallocation of memory for auditing the acl(2) system call are not consistent. Resolution: The allocation and deallocation of memory for auditing the acl(2) system call have been fixed to be consistent. PHKL_24505: ( SR:8606204442 CR:JAGad73624 ) The kernel is truncating all auditing socket information at 16 bytes. This affects both IPv6 and unix sockets. Resolution: The auditing subsystem is enhanced to generate complete information for IPv6 related system calls and unix sockets longer than 16 bytes. This change has no impact on IPv4 socket related system calls. Enhancement: No (superseded patches contained enhancements) PHKL_27753: Enhancements were delivered in a patch this one has superseded. Please review the Defect Description text for more information. SR: 8606204442 8606214393 8606274955 8606289486 Patch Files: OS-Core.CORE-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/conf/sys/audit.h ProgSupport.C-INC,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/include/sys/audit.h OS-Core.CORE2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP: /usr/conf/lib/libaudit.a(audit.o) OS-Core.CORE2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP: /usr/conf/lib/libaudit.a(audit.o) what(1) Output: OS-Core.CORE-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/conf/sys/audit.h: audit.h $Date: 2001/06/22 16:25:15 $Revision: r11.11 /1 PATCH_11.11 (PHKL_24505) ProgSupport.C-INC,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: /usr/include/sys/audit.h: audit.h $Date: 2001/06/22 16:25:15 $Revision: r11.11 /1 PATCH_11.11 (PHKL_24505) OS-Core.CORE2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP: /usr/conf/lib/libaudit.a(audit.o): audit.c $Date: 2003/01/14 19:58:47 $Revision: r11.11 /4 PATCH_11.11 (PHKL_28446) OS-Core.CORE2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP: /usr/conf/lib/libaudit.a(audit.o): audit.c $Date: 2003/01/14 19:58:47 $Revision: r11.11 /4 PATCH_11.11 (PHKL_28446) cksum(1) Output: OS-Core.CORE-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: 1325042921 16461 /usr/conf/sys/audit.h ProgSupport.C-INC,fr=B.11.11,fa=HP-UX_B.11.11_32/64,v=HP: 1325042921 16461 /usr/include/sys/audit.h OS-Core.CORE2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_32,v=HP: 349150253 17596 /usr/conf/lib/libaudit.a(audit.o) OS-Core.CORE2-KRN,fr=B.11.11,fa=HP-UX_B.11.11_64,v=HP: 2103296933 29456 /usr/conf/lib/libaudit.a(audit.o) Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: PHKL_24505: audisp patch PHCO_24504 is required to interpret additional data for IPv6 and longer unix sockets. Supersedes: PHKL_27753 PHKL_25351 PHKL_24505 Equivalent Patches: None Patch Package Size: 120 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHKL_28446 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHKL_28446.depot By default swinstall will archive the original software in /var/adm/sw/save/PHKL_28446. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHKL_28446.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHKL_28446.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHKL_28446.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None