auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
Steve Grubb
sgrubb at redhat.com
Tue Oct 6 15:40:15 UTC 2015
On Monday, October 05, 2015 05:43:01 PM Cat wrote:
> I believe auditd's flush configuration can only be set to INCREMENTAL to
> guarantee some form of log durability, while DATA or SYNC do nothing. Is
> this is a known bug or did I misinterpret auditd.conf's man page?
It has been a very long time (10 years?) since this code was looked at.
Reviewing current docs, I think you are right. I put a fix into git as commit
1126. The short story is these are now turned into open flags instead of fcntl.
-Steve
> In audit-event.c: in open_audit_log():
> fcntl(F_SETFL, O_SYNC) is called on the already open log's file descriptor,
> but O_SYNC (and O_DSYNC) are ignored by F_SETFL
>
> You can check this in the kernel at
> fs/fcntl.c:
> #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
>
> The fcntl() man page also indicates this expected behavior.
>
> I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
> 14.04.03 and I believe I've reproduced the problem on both distributions.
>
> Thanks,
> Cat
More information about the Linux-audit
mailing list