auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
Steve Grubb
sgrubb at redhat.com
Tue Oct 6 16:49:13 UTC 2015
On Tuesday, October 06, 2015 12:24:25 PM Cat Zimmermann wrote:
> Aren't the DATA and SYNC durability options required for CAPP compliance?
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm
> l/Security_Guide/sec-configuring_the_audit_service.html
Hmm. That page isn't exactly right. But its in the ball park. The
authoritative source is the Evaluated Configuration Guide (ECG). It says:
"If you want to ensure that auditd always forces a disk write for each record,
you MAY set the flush = SYNC option in /etc/audit/auditd.conf,"
So, in reality, its a MAY and not a MUST.
> How serious is this bug, at least in your opinion?
I'd say this is a quality of implementation issue. The O_SYNC and O_DSYSNC
options are supposed to help prevent data loss during an Oops or power
failure. Although that can't really be guaranteed either without specific
attention to file system selection, special mount options, specific disk
controller and hard drive cache power requirements (as in battery backed up).
I also don't have any real estimate on how many people might actually run
using the DATA/SYNC options. I assume that most people that use auditing need
to survive bursts and choose faster & risky disk flushing options rather than
slower & safe.
-Steve
> On Tue, Oct 6, 2015 at 11:40 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> > On Monday, October 05, 2015 05:43:01 PM Cat wrote:
> > > I believe auditd's flush configuration can only be set to INCREMENTAL to
> > > guarantee some form of log durability, while DATA or SYNC do nothing. Is
> > > this is a known bug or did I misinterpret auditd.conf's man page?
> >
> > It has been a very long time (10 years?) since this code was looked at.
> > Reviewing current docs, I think you are right. I put a fix into git as
> > commit
> > 1126. The short story is these are now turned into open flags instead of
> > fcntl.
> >
> > -Steve
> >
> > > In audit-event.c: in open_audit_log():
> > > fcntl(F_SETFL, O_SYNC) is called on the already open log's file
> >
> > descriptor,
> >
> > > but O_SYNC (and O_DSYNC) are ignored by F_SETFL
> > >
> > > You can check this in the kernel at
> > > fs/fcntl.c:
> > > #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT |
> >
> > O_NOATIME)
> >
> > > The fcntl() man page also indicates this expected behavior.
> > >
> > > I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
> > > 14.04.03 and I believe I've reproduced the problem on both
> > > distributions.
> > >
> > > Thanks,
> > > Cat
More information about the Linux-audit
mailing list