From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auditd.conf: flush set to DATA or SYNC does nothing on many kernels? Date: Tue, 06 Oct 2015 11:40:15 -0400 Message-ID: <1667761.dTStLhEy9c@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Cat List-Id: linux-audit@redhat.com On Monday, October 05, 2015 05:43:01 PM Cat wrote: > I believe auditd's flush configuration can only be set to INCREMENTAL to > guarantee some form of log durability, while DATA or SYNC do nothing. Is > this is a known bug or did I misinterpret auditd.conf's man page? It has been a very long time (10 years?) since this code was looked at. Reviewing current docs, I think you are right. I put a fix into git as commit 1126. The short story is these are now turned into open flags instead of fcntl. -Steve > In audit-event.c: in open_audit_log(): > fcntl(F_SETFL, O_SYNC) is called on the already open log's file descriptor, > but O_SYNC (and O_DSYNC) are ignored by F_SETFL > > You can check this in the kernel at > fs/fcntl.c: > #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME) > > The fcntl() man page also indicates this expected behavior. > > I checked both the kernel and audit source for CentOS 6.7 and Ubuntu > 14.04.03 and I believe I've reproduced the problem on both distributions. > > Thanks, > Cat