auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
Cat
catzimmermann at gmail.com
Mon Oct 5 21:43:01 UTC 2015
Hello all,
I believe auditd's flush configuration can only be set to INCREMENTAL to
guarantee some form of log durability, while DATA or SYNC do nothing. Is
this is a known bug or did I misinterpret auditd.conf's man page?
In audit-event.c: in open_audit_log():
fcntl(F_SETFL, O_SYNC) is called on the already open log's file descriptor,
but O_SYNC (and O_DSYNC) are ignored by F_SETFL
You can check this in the kernel at
fs/fcntl.c:
#define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
The fcntl() man page also indicates this expected behavior.
I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
14.04.03 and I believe I've reproduced the problem on both distributions.
Thanks,
Cat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20151005/de9040ce/attachment.htm>
More information about the Linux-audit
mailing list