Aren't the DATA and SYNC durability options required for CAPP compliance? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-configuring_the_audit_service.html
How serious is this bug, at least in your opinion? Thanks, Cat On Tue, Oct 6, 2015 at 11:40 AM, Steve Grubb <[email protected]> wrote: > On Monday, October 05, 2015 05:43:01 PM Cat wrote: > > I believe auditd's flush configuration can only be set to INCREMENTAL to > > guarantee some form of log durability, while DATA or SYNC do nothing. Is > > this is a known bug or did I misinterpret auditd.conf's man page? > > It has been a very long time (10 years?) since this code was looked at. > Reviewing current docs, I think you are right. I put a fix into git as > commit > 1126. The short story is these are now turned into open flags instead of > fcntl. > > -Steve > > > In audit-event.c: in open_audit_log(): > > fcntl(F_SETFL, O_SYNC) is called on the already open log's file > descriptor, > > but O_SYNC (and O_DSYNC) are ignored by F_SETFL > > > > You can check this in the kernel at > > fs/fcntl.c: > > #define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | > O_NOATIME) > > > > The fcntl() man page also indicates this expected behavior. > > > > I checked both the kernel and audit source for CentOS 6.7 and Ubuntu > > 14.04.03 and I believe I've reproduced the problem on both distributions. > > > > Thanks, > > Cat > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
