Home / server / Questions / 1141913
Accepted
J'e
Asked: 2023-08-19 03:46:04 +0800 CST

auditd.conf - when is "verify_email" actually checked?

  • 772

When using an email address in /etc/audit/auditd.conf, there is an option verify_email which is defined as,

This option determines if the email address given in action_mail_acct is checked to see if the domain name can be resolved. This option must be given before action_mail_acct or the default value of yes will be used.

When is the actual check performed? For example, when the service is started? When an audit event occures?

auditd

1 Answers

  1. Best Answer

    When the service is started – or more precisely during parsing the configuration.

    In the src/auditd-config.c (as of 60477a5):

    • Configuration parameter action_mail_acct is parsed on lines 1124-1145.

      • There, if config->verify_email (as parsed from configuration parameter verify_email = yes) is true & validate_email(tmail) returns any errors, the action_mail_acct_parser() will return 1.

    • The validate_email() on lines 1058-1122 performs various (quite naive) checks:

      1. Is the string too short to be an email address.
      2. Does the email address have illegal characters.
      3. Does the email address have @ as it should.
      4. Does the email address have . after @.
      5. Uses getaddrinfo() to check whether the hostname part of the address resolves.

    • On lines 1109-1111 there is a nice TODO left for detecting permanent failures.
      Should I fix it now that I'm here? ;D

    • 1