Kernel crash on RHEL5, SLES 10 or 11, when SCSP RT-FIM or IPS drivers are loaded and Linux auditing is enabled with rules applied.
Last Updated August 28, 2013
A Linux kernel bug on RedHat Enterpise Linux 5 and SuSE Linux Enterprise Server 10 and 11 in the Linux Auditing subsystem can result in a crash with the presence of either SCSP driver (RT-FIM or IPS) loaded on the system.
The risk of running into this issue exists in the following conditions:
1) Running RHEL5 or SLES 10 or 11
2) Linux Audit subsystem enabled with rules (auditctl -l, and -s)
3) SCSP RT-FIM or IPS drivers loaded
Note: Having the IDS filewatch rules applied to the RT-FIM driver and/or IPS policies increases the risk of exposure to the bug.
The following options are available to avoid a crash:
A. Disable the Linux Audit subsystem and remove the audit rules
B. Disable the SCSP RT‐FIM and IPS drivers
C. Upgrade to RHEL6
D. SCSP version
5.2 RU9 MP3 will also have an update to address this issue
RedHat Enterprise Linux 5 and SuSE Linux Enterprise Server 10 and 11.
Note: RedHat has addressed this issue in RHEL6. The fix has not been made in RHEL5 or any current version of SLES kernel.
Imported Document ID: TECH204991
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe