Re: auditd.conf: flush set to DATA or SYNC does nothing on many kernels?

[Steve Grubb <sgrubb@redhat.com>]

On Tuesday, October 06, 2015 12:24:25 PM Cat Zimmermann wrote:
> Aren't the DATA and SYNC durability options required for CAPP compliance?
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm
> l/Security_Guide/sec-configuring_the_audit_service.html

Hmm. That page isn't exactly right. But its in the ball park. The 
authoritative source is the Evaluated Configuration Guide (ECG). It says:

"If you want to ensure that auditd always forces a disk write for each record, 
you MAY set the flush = SYNC option in /etc/audit/auditd.conf,"

So, in reality, its a MAY and not a MUST.

> How serious is this bug, at least in your opinion?

I'd say this is a quality of implementation issue. The O_SYNC and O_DSYSNC 
options are supposed to help prevent data loss during an Oops or power 
failure. Although that can't really be guaranteed either without specific 
attention to file system selection, special mount options, specific disk 
controller and hard drive cache power requirements (as in battery backed up).

I also don't have any real estimate on how many people might actually run 
using the DATA/SYNC options. I assume that most people that use auditing need 
to survive bursts and choose faster & risky disk flushing options rather than 
slower & safe.

-Steve


> On Tue, Oct 6, 2015 at 11:40 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 05, 2015 05:43:01 PM Cat wrote:
> > > I believe auditd's flush configuration can only be set to INCREMENTAL to
> > > guarantee some form of log durability, while DATA or SYNC do nothing. Is
> > > this is a known bug or did I misinterpret auditd.conf's man page?
> > 
> > It has been a very long time (10 years?) since this code was looked at.
> > Reviewing current docs, I think you are right. I put a fix into git as
> > commit
> > 1126. The short story is these are now turned into open flags instead of
> > fcntl.
> > 
> > -Steve
> > 
> > > In audit-event.c: in open_audit_log():
> > > fcntl(F_SETFL, O_SYNC) is called on the already open log's file
> > 
> > descriptor,
> > 
> > > but O_SYNC (and O_DSYNC) are ignored by F_SETFL
> > > 
> > > You can check this in the kernel at
> > > fs/fcntl.c:
> > > #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT |
> > 
> > O_NOATIME)
> > 
> > > The fcntl() man page also indicates this expected behavior.
> > > 
> > > I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
> > > 14.04.03 and I believe I've reproduced the problem on both
> > > distributions.
> > > 
> > > Thanks,
> > > Cat