auditd.conf - when is "verify_email" actually checked?

Question

When using an email address in /etc/audit/auditd.conf, there is an option verify_email which is defined as,

This option determines if the email address given in action_mail_acct is checked to see if the domain name can be resolved. This option must be given before action_mail_acct or the default value of yes will be used.

When is the actual check performed? For example, when the service is started? When an audit event occures?

Answer 1

When the service is started – or more precisely during parsing the configuration.

In the src/auditd-config.c (as of 60477a5):

• Configuration parameter action_mail_acct is parsed on lines 1124-1145.

  • There, if config->verify_email (as parsed from configuration parameter verify_email = yes) is true & validate_email(tmail) returns any errors, the action_mail_acct_parser() will return 1.

• The validate_email() on lines 1058-1122 performs various (quite naive) checks:

  1. Is the string too short to be an email address.
  2. Does the email address have illegal characters.
  3. Does the email address have @ as it should.
  4. Does the email address have . after @.
  5. Uses getaddrinfo() to check whether the hostname part of the address resolves.

• On lines 1109-1111 there is a nice TODO left for detecting permanent failures.
  Should I fix it now that I'm here? ;D