Hi,
Just wanted to follow up wrt the previous findings and experiments and what
some of your thoughts are on the suggested optimizations.
Regards
Ali
On Tue, Sep 12, 2023 at 4:20 PM Amjad Gabbar <amjadgabbar11(a)gmail.com>
wrote:
So,
Based on this and some experiments I have been performing, I would suggest
changing how a lot of the FileSystem rules are written and illustrated.
Ex -
https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-d...
The rule in the repository is
-a always,exit -F path=/etc/sudoers -F perm=wa -F
key=10.2.2-priv-config-changes
My suggestion is to instead change the rule based on the permissions
defined. The above rule would change to the following based on the kernel
being used.
-a always,exit -S <list of syscalls in audit_write.h and audit_read.h
+open,openat> -F path=/etc/sudoers -F perm=wa -F
key=10.2.2-priv-config-changes
This is higher performance because we are limiting the syscalls instead of
making use of -S all which has more paths of evaluation for each and every
syscall.
Same thing for watches. Watches are inherently -S all rules which are very
performance intensive.
https://github.com/linux-audit/audit-userspace/blob/1482cec74f2d9472f81dd...
Ideally we should limit the syscalls based on the permissions being used.
I have implemented the same in my environment rules and have noticed a
massive performance difference with no difference in the events being
logged since we anyways filter eventually based on the permissions.
Let me know what you all think.
Ali Adnan.
On Wed, Sep 6, 2023 at 2:58 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
> On 2023-09-06 10:56, Amjad Gabbar wrote:
> > Hi,
> >
> > I have done some analysis and digging into how both the watch rules and
> > syscall rules are translated.
> >
> > From my understanding, in terms of logging, both the below rules are
> > similar. There is no difference in either of the rules.
> >
> > 1. -w /etc -p wa -k ETC_WATCH
>
> They are similar in this case.
> -w behaves differently depending on the existance of the watched entity
> and the presence of a trailing "/". This is why the form above is
> deprecated.
>
> > 2. -a always,exit -F arch=b64 -S <all syscalls part of the write and
> attr
> > classes> -F dir=/etc -F perm=wa -k ETC_WATCH
> >
> > The write and attr classes consist of syscalls in
> > “include/asm-generic/audit_*.h“.
> >
> > The perm flag is needed in the second case for including open/openat
> > syscalls which are not a part of the write and attr syscall list.
> >
> > I'd like to verify if what I mentioned earlier is accurate, and I have
> an
> > additional point but depends on whether this is accurate.
> >
> > Ali
>
> - RGB
>
> --
> Richard Guy Briggs <rgb(a)redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> Upstream IRC: SunRaycer
> Voice: +1.613.860 2354 SMS: +1.613.518.6570
>
>