Kernel crash on RHEL5, SLES 10 or 11, when SCSP RT-FIM or IPS drivers are loaded and Linux auditing is enabled with rules applied.

book

Article ID: 157888

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

A Linux kernel bug on RedHat Enterpise Linux 5 and SuSE Linux Enterprise Server 10 and 11 in the Linux Auditing subsystem can result in a crash with the presence of either SCSP driver (RT-FIM or IPS) loaded on the system.  

Cause

The risk of running into this issue exists in the following conditions:
 

1) Running RHEL5 or SLES 10 or 11

2) Linux Audit subsystem enabled with rules (auditctl -l, and -s)

3) SCSP RT-FIM or IPS drivers loaded

Note: Having the IDS filewatch rules applied to the RT-FIM driver and/or IPS policies increases the risk of exposure to the bug.

Resolution

The following options are available to avoid a crash:

A. Disable the Linux Audit subsystem and remove the audit rules

B. Disable the SCSP RT‐FIM and IPS drivers

C. Upgrade to RHEL6

D. SCSP version 5.2 RU9 MP3 will also have an update to address this issue


Applies To

RedHat Enterprise Linux 5 and SuSE Linux Enterprise Server 10 and 11.

Note: RedHat has addressed this issue in RHEL6. The fix has not been made in RHEL5 or any current version of SLES kernel.