So,

Based on this and some experiments I have been performing, I would suggest changing how a lot of the FileSystem rules are written and illustrated.
Ex - https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules#L34-L35

The rule in the repository is
-a always,exit -F path=/etc/sudoers -F perm=wa -F key=10.2.2-priv-config-changes

My suggestion is to instead change the rule based on the permissions defined. The above rule would change to the following based on the kernel being used.
-a always,exit -S <list of syscalls in audit_write.h and audit_read.h +open,openat> -F path=/etc/sudoers -F perm=wa -F key=10.2.2-priv-config-changes

This is higher performance because we are limiting the syscalls instead of making use of -S all which has more paths of evaluation for each and every syscall.

Same thing for watches. Watches are inherently -S all rules which are very performance intensive.
https://github.com/linux-audit/audit-userspace/blob/1482cec74f2d9472f81dd4f0533484bd0c26decd/lib/libaudit.c#L805

Ideally we should limit the syscalls based on the permissions being used. 

I have implemented the same in my environment rules and have noticed a massive performance difference with no difference in the events being logged since we anyways filter eventually based on the permissions.

Let me know what you all think.

Ali Adnan.





On Wed, Sep 6, 2023 at 2:58 PM Richard Guy Briggs <rgb@redhat.com> wrote:
On 2023-09-06 10:56, Amjad Gabbar wrote:
> Hi,
>
> I have done some analysis and digging into how both the watch rules and
> syscall rules are translated.
>
> From my understanding, in terms of logging, both the below rules are
> similar. There is no difference in either of the rules.
>
> 1. -w /etc -p wa -k ETC_WATCH

They are similar in this case.
-w behaves differently depending on the existance of the watched entity
and the presence of a trailing "/".  This is why the form above is
deprecated.

> 2. -a always,exit -F arch=b64 -S <all syscalls part of the write and attr
> classes> -F dir=/etc  -F perm=wa -k ETC_WATCH
>
> The write and attr classes consist of syscalls in
> “include/asm-generic/audit_*.h“.
>
>  The perm flag is needed in the second case for including open/openat
> syscalls which are not a part of the write and attr syscall list.
>
> I'd like to verify if what I mentioned earlier is accurate, and I have an
> additional point but depends on whether this is accurate.
>
> Ali

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice: +1.613.860 2354 SMS: +1.613.518.6570