COMMAND

    kernel

SYSTEMS AFFECTED

    HpUX  10.16,  10.24  series  800.   This  means  the Virtual Vault
    Operating System (VVOS)  on HP 9000  Series 7/800 and  the Trusted
    Operating System (CMW) on the Series 700.

PROBLEM

    Under certain conditions,  the limit on  the amount of  audit data
    that the  kernel will  gather from  applications submitting  audit
    records can exceed the configured limit for a period of time.

    The configured limit is a  value, for example, 32K bytes,  against
    which applications are measured before they submit audit  records.
    When the limit is reached, applications will be suspended  briefly
    by the kernel  until the system's  audit daemon has  extracted the
    audit records already submitted by other applications and  brought
    the amount of space audit records under the configured limit.

    Under  periods  of  excessive  load,  the  configured limit can be
    ignored resulting in the amount  of audit data held by  the kernel
    for delivery to the audit  daemon to exceed the configured  limit.
    The kernel does *not* use a  buffer to store data so there  is not
    a chance of overflowing a fixed-size memory area. Instead,  memory
    is dynamically allocated for  each audit record. Thus,  the result
    of exceeding the configured limit  is that more memory is  used by
    the kernel for audit record  storage -- this memory is  eventually
    returned  to  the  kernel  as  a  side  effect of the audit daemon
    extracting the audit information.

    The audit system in the affected releases is governed partially by
    audit  configuration  parameters   established  by  the   system's
    administrative  staff.   The  programs   that  affect   the  audit
    configuration can only be executed by authorized individuals.  The
    audit configuration is stored  in each system's filesystem  -- the
    files are protected both with Discretionary Access Control  (i.e.,
    the permission/mode bits of  a file) and Mandatory  Access Control
    (MAC).  Together, these  mechanisms are sufficient to  protect the
    information from being compromised.

SOLUTION

    You can get patch files:

        /usr/conf/lib/libsec.a(sec_audit.o)
        /usr/conf/lib/libsec.a(audit_dev.o)

    Patch name is PHKL_10406 and equivalent patches are:

        PHKL_10407:
        s700: 10.24