Re: [RFC] Do away with entry filter

Hello, I will be forking the user space audit code soon to start the next major series. I have a couple thoughts I'd like to share with people to see what they think. The first item is doing away with the entry filter for syscall auditing. You normally run across this filter when you write rules such as: -a always,entry -S open The reason I think we can do away with it is that its purpose has changed. Way back in the early days 2.6.6 -> 2.6.15 kernels, there was this notion that the audit code could be made to have little impact on the performance of the system if we give hints about what is needed by using "possible" actions. The problem with "possible" was that people forgot to use it and had exit filter rules that had no data to operate on. So, we changed the kernel to always collect the data it needed in case an exit filter would trigger an event. This was optimized and performance was pretty good. So, that kind of left the entry filter without a purpose. Any entry rule can be written as an exit rule. But not every exit rule can be written as an entry rule. So the logical choice is to consolidate on the exit filter. The reason to do this is to improve performance. If we have an entry rule that triggers, it marks the syscall excursion as auditable. When we get to the exit filter, it iterates over the whole set of rules even though the event is auditable. This is because there could be a never rule that would suppress the output. Another problem introduced by having two filters is that some fields are not available in the entry filter (exit for example), it adds complexity in the auditctl program and the in-kernel rule parser to look for these errors. The way that we could make the change is for the audit package to silently convert entry rules to exit in user space. It could output a warning that entry rules are being converted and the admin should make the necessary adjustments. Then after some time has elapsed so that distros have all updated, drop support in the kernel for the entry filter. Let's discuss...

Thanks, -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit