Hello all, I believe auditd's flush configuration can only be set to INCREMENTAL to guarantee some form of log durability, while DATA or SYNC do nothing. Is this is a known bug or did I misinterpret auditd.conf's man page?
In audit-event.c: in open_audit_log(): fcntl(F_SETFL, O_SYNC) is called on the already open log's file descriptor, but O_SYNC (and O_DSYNC) are ignored by F_SETFL You can check this in the kernel at fs/fcntl.c: #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME) The fcntl() man page also indicates this expected behavior. I checked both the kernel and audit source for CentOS 6.7 and Ubuntu 14.04.03 and I believe I've reproduced the problem on both distributions. Thanks, Cat
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
