auditd.conf: flush set to DATA or SYNC does nothing on many kernels?
Cat Zimmermann
catzimmermann at gmail.com
Tue Oct 6 16:24:25 UTC 2015
Aren't the DATA and SYNC durability options required for CAPP compliance?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-configuring_the_audit_service.html
How serious is this bug, at least in your opinion?
Thanks,
Cat
On Tue, Oct 6, 2015 at 11:40 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, October 05, 2015 05:43:01 PM Cat wrote:
> > I believe auditd's flush configuration can only be set to INCREMENTAL to
> > guarantee some form of log durability, while DATA or SYNC do nothing. Is
> > this is a known bug or did I misinterpret auditd.conf's man page?
>
> It has been a very long time (10 years?) since this code was looked at.
> Reviewing current docs, I think you are right. I put a fix into git as
> commit
> 1126. The short story is these are now turned into open flags instead of
> fcntl.
>
> -Steve
>
> > In audit-event.c: in open_audit_log():
> > fcntl(F_SETFL, O_SYNC) is called on the already open log's file
> descriptor,
> > but O_SYNC (and O_DSYNC) are ignored by F_SETFL
> >
> > You can check this in the kernel at
> > fs/fcntl.c:
> > #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT |
> O_NOATIME)
> >
> > The fcntl() man page also indicates this expected behavior.
> >
> > I checked both the kernel and audit source for CentOS 6.7 and Ubuntu
> > 14.04.03 and I believe I've reproduced the problem on both distributions.
> >
> > Thanks,
> > Cat
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20151006/62fa4b70/attachment.htm>
More information about the Linux-audit
mailing list