Hi Everyone,
I wanted some help in better understanding the workflow of file system
auditing(watch rules) vs Syscall Auditing(syscall rules). I know in general
file system auditing does not have the same performance impact as syscall
auditing, even though both make use of syscall exits for their evaluation.
From the manpage - "Unlike most syscall auditing rules, watches
do not
impact performance based on the number of rules sent to the kernel."
From a previous thread, I found this excerpt regarding file watch
rules vs
sycall rules -
"The reason it doesn't have performance impact like normal syscall rules is
because it gets moved to a list that is not evaluated every syscall. A
normal syscall rule will get evaluated for every syscall because it has to
see if the syscall number is of interest and then it checks the next rule."
Based on this I had a couple of questions:
For normal syscall rules, the evaluation happens as __audit_syscall_exit
<
https://elixir.bootlin.com/linux/v6.1.10/C/ident/__audit_syscall_exit> calls
audit_filter_syscall
(
https://elixir.bootlin.com/linux/v6.1.10/source/kernel/auditsc.c#L841)
Here, we check if the syscall is of interest or not in the audit_in_mask
<
https://elixir.bootlin.com/linux/v6.1.10/C/ident/audit_in_mask> function.
Only if the syscall is of interest do we proceed with examining the task
and return on the first rule match.
1. What is the process or code path for watch rules? audit_filter_syscall
<
https://elixir.bootlin.com/linux/v6.1.10/C/ident/audit_filter_syscall> is
called for watch rules as well. Then how is it that these are not called
for every syscall? Could you point me to the code where the evaluation
happens only once?
2. Also, do file watches only involve the open system call family (open,
openat etc). The man page implies the same, so just wanted to confirm.
I assume -w /etc -p wa is the same as -a always,exit -S open -S openat -F
dir=/etc?
Please correct any wrong assumption I may have as well.
Regards