* auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
@ 2015-10-05 21:43 Cat
2015-10-06 15:40 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Cat @ 2015-10-05 21:43 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 732 bytes --]
Hello all,
I believe auditd's flush configuration can only be set to INCREMENTAL to
guarantee some form of log durability, while DATA or SYNC do nothing. Is
this is a known bug or did I misinterpret auditd.conf's man page?
In audit-event.c: in open_audit_log():
fcntl(F_SETFL, O_SYNC) is called on the already open log's file descriptor,
but O_SYNC (and O_DSYNC) are ignored by F_SETFL
You can check this in the kernel at
fs/fcntl.c:
#define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
The fcntl() man page also indicates this expected behavior.
I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
14.04.03 and I believe I've reproduced the problem on both distributions.
Thanks,
Cat
[-- Attachment #1.2: Type: text/html, Size: 981 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
2015-10-05 21:43 auditd.conf: flush set to DATA or SYNC does nothing on many kernels? Cat
@ 2015-10-06 15:40 ` Steve Grubb
2015-10-06 16:24 ` Cat Zimmermann
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2015-10-06 15:40 UTC (permalink / raw)
To: linux-audit; +Cc: Cat
On Monday, October 05, 2015 05:43:01 PM Cat wrote:
> I believe auditd's flush configuration can only be set to INCREMENTAL to
> guarantee some form of log durability, while DATA or SYNC do nothing. Is
> this is a known bug or did I misinterpret auditd.conf's man page?
It has been a very long time (10 years?) since this code was looked at.
Reviewing current docs, I think you are right. I put a fix into git as commit
1126. The short story is these are now turned into open flags instead of fcntl.
-Steve
> In audit-event.c: in open_audit_log():
> fcntl(F_SETFL, O_SYNC) is called on the already open log's file descriptor,
> but O_SYNC (and O_DSYNC) are ignored by F_SETFL
>
> You can check this in the kernel at
> fs/fcntl.c:
> #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
>
> The fcntl() man page also indicates this expected behavior.
>
> I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
> 14.04.03 and I believe I've reproduced the problem on both distributions.
>
> Thanks,
> Cat
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
2015-10-06 15:40 ` Steve Grubb
@ 2015-10-06 16:24 ` Cat Zimmermann
2015-10-06 16:49 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Cat Zimmermann @ 2015-10-06 16:24 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1448 bytes --]
Aren't the DATA and SYNC durability options required for CAPP compliance?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-configuring_the_audit_service.html
How serious is this bug, at least in your opinion?
Thanks,
Cat
On Tue, Oct 6, 2015 at 11:40 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Monday, October 05, 2015 05:43:01 PM Cat wrote:
> > I believe auditd's flush configuration can only be set to INCREMENTAL to
> > guarantee some form of log durability, while DATA or SYNC do nothing. Is
> > this is a known bug or did I misinterpret auditd.conf's man page?
>
> It has been a very long time (10 years?) since this code was looked at.
> Reviewing current docs, I think you are right. I put a fix into git as
> commit
> 1126. The short story is these are now turned into open flags instead of
> fcntl.
>
> -Steve
>
> > In audit-event.c: in open_audit_log():
> > fcntl(F_SETFL, O_SYNC) is called on the already open log's file
> descriptor,
> > but O_SYNC (and O_DSYNC) are ignored by F_SETFL
> >
> > You can check this in the kernel at
> > fs/fcntl.c:
> > #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT |
> O_NOATIME)
> >
> > The fcntl() man page also indicates this expected behavior.
> >
> > I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
> > 14.04.03 and I believe I've reproduced the problem on both distributions.
> >
> > Thanks,
> > Cat
>
>
[-- Attachment #1.2: Type: text/html, Size: 2249 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
2015-10-06 16:24 ` Cat Zimmermann
@ 2015-10-06 16:49 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2015-10-06 16:49 UTC (permalink / raw)
To: Cat Zimmermann; +Cc: linux-audit
On Tuesday, October 06, 2015 12:24:25 PM Cat Zimmermann wrote:
> Aren't the DATA and SYNC durability options required for CAPP compliance?
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm
> l/Security_Guide/sec-configuring_the_audit_service.html
Hmm. That page isn't exactly right. But its in the ball park. The
authoritative source is the Evaluated Configuration Guide (ECG). It says:
"If you want to ensure that auditd always forces a disk write for each record,
you MAY set the flush = SYNC option in /etc/audit/auditd.conf,"
So, in reality, its a MAY and not a MUST.
> How serious is this bug, at least in your opinion?
I'd say this is a quality of implementation issue. The O_SYNC and O_DSYSNC
options are supposed to help prevent data loss during an Oops or power
failure. Although that can't really be guaranteed either without specific
attention to file system selection, special mount options, specific disk
controller and hard drive cache power requirements (as in battery backed up).
I also don't have any real estimate on how many people might actually run
using the DATA/SYNC options. I assume that most people that use auditing need
to survive bursts and choose faster & risky disk flushing options rather than
slower & safe.
-Steve
> On Tue, Oct 6, 2015 at 11:40 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 05, 2015 05:43:01 PM Cat wrote:
> > > I believe auditd's flush configuration can only be set to INCREMENTAL to
> > > guarantee some form of log durability, while DATA or SYNC do nothing. Is
> > > this is a known bug or did I misinterpret auditd.conf's man page?
> >
> > It has been a very long time (10 years?) since this code was looked at.
> > Reviewing current docs, I think you are right. I put a fix into git as
> > commit
> > 1126. The short story is these are now turned into open flags instead of
> > fcntl.
> >
> > -Steve
> >
> > > In audit-event.c: in open_audit_log():
> > > fcntl(F_SETFL, O_SYNC) is called on the already open log's file
> >
> > descriptor,
> >
> > > but O_SYNC (and O_DSYNC) are ignored by F_SETFL
> > >
> > > You can check this in the kernel at
> > > fs/fcntl.c:
> > > #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT |
> >
> > O_NOATIME)
> >
> > > The fcntl() man page also indicates this expected behavior.
> > >
> > > I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
> > > 14.04.03 and I believe I've reproduced the problem on both
> > > distributions.
> > >
> > > Thanks,
> > > Cat
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-10-06 16:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-05 21:43 auditd.conf: flush set to DATA or SYNC does nothing on many kernels? Cat
2015-10-06 15:40 ` Steve Grubb
2015-10-06 16:24 ` Cat Zimmermann
2015-10-06 16:49 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).