Re: auditd.conf: flush set to DATA or SYNC does nothing on many kernels?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Cat <catzimmermann@gmail.com>
Subject: Re: auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
Date: Tue, 06 Oct 2015 11:40:15 -0400	[thread overview]
Message-ID: <1667761.dTStLhEy9c@x2> (raw)
In-Reply-To: <CAMOEXxYsUJUiq2bUKnJgXTifMn9GmtzUUp+TUo-kNGjdXVjtfQ@mail.gmail.com>

On Monday, October 05, 2015 05:43:01 PM Cat wrote:
> I believe auditd's flush configuration can only be set to INCREMENTAL to
> guarantee some form of log durability, while DATA or SYNC do nothing. Is
> this is a known bug or did I misinterpret auditd.conf's man page?

It has been a very long time (10 years?) since this code was looked at. 
Reviewing current docs, I think you are right. I put a fix into git as commit 
1126. The short story is these are now turned into open flags instead of fcntl.

-Steve

> In audit-event.c: in open_audit_log():
> fcntl(F_SETFL, O_SYNC) is called on the already open log's file descriptor,
> but O_SYNC (and O_DSYNC) are ignored by F_SETFL
> 
> You can check this in the kernel at
> fs/fcntl.c:
> #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
> 
> The fcntl() man page also indicates this expected behavior.
> 
> I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
> 14.04.03 and I believe I've reproduced the problem on both distributions.
> 
> Thanks,
> Cat

next prev parent reply	other threads:[~2015-10-06 15:40 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-05 21:43 auditd.conf: flush set to DATA or SYNC does nothing on many kernels? Cat
2015-10-06 15:40 ` Steve Grubb [this message]
2015-10-06 16:24   ` Cat Zimmermann
2015-10-06 16:49     ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1667761.dTStLhEy9c@x2 \
    --to=sgrubb@redhat.com \
    --cc=catzimmermann@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.