You have recently installed Symantec Data Center Security Server Advanced 6.x or Symantec Critical System Protection 5.2.9 agents on various UNIX type systems. The systems are unstable and crash, with or without an IPS policy applied but with the IPS driver loaded. In addition, and specific to this article and solution, the UNIX system has the Centrify DirectAudit auditing package installed.
Symantec Data Center Security Server Advanced 6.x
Symantec Critical System Protection 5.2.9
Centrify DirectAudit 5.2
Linux, Solaris, AIX
No specific error message recorded by the CSP or DCS agent, however the Operating System freezes, hangs and/or stops with a kernel panic.
Dump analysis showed the system crash occurred when dereferencing an object in one of the process objects maintained by the SISIPS Kernel module. This crash occurred under low memory conditions. On the impacted Linux servers, Bash.daudit (Centrify Direct Audit) process's behavior of switching between multiple users triggered a buffer overrun problem in the SISIPS kernel module's Root Accountability Feature implementation, leading to the crash.
Hot fixes have been and are being released.
RHEL6 & SLES11 => 6.5 MP1 HF10 (220.127.116.110)
Solaris 10 => 6.5 MP1 HF10 (18.104.22.1681)
AIX 6 => 6.5 MP1 HF10 (22.214.171.1241)
RHEL5 & SLES10 => CSP 5.2.9 MP6 HF5 (126.96.36.1997)
The RHEL5 & SLES10 hotfix is attached to this technote.
Please contact you local technical support representative and refer to this technote to obtain the hotfix for the other platforms.