Re: Implementing audit rules (/etc/audit/audit.rules) effectively
On Wednesday, November 05, 2014 01:39:11 PM Jan Lieskovsky wrote:
Hello folks,
within the effort to provide an implementation for some task
implying from my daily job recently I started to face the following
question related with auditd - how to write audit rules in most
effective way. I am mainly interested if there's some comparison / research
wrt to if there's is some performance penalty when (syscall, but
in general case doesn't need to be limited to syscall calls) audit
rules are created in the way having just one syscall rule (one -S argument
is provided per audit rule) versus the case when there are more
(compatible) -S arguments provided simultaneously in the particular
audit.rules row?
Yes there has. The answer is combine as many syscalls as possible into each
rule. To see why, look at this code:
http://lxr.free-electrons.com/source/kernel/auditsc.c#L747
Basically you have a for loop over each rule and on line 765 it checks by
"anding" the syscalls in the rule. If no match iterate again. So, by
increasing the rules, you increase the iterating for each and every syscall
made whether its of interest or not.
To provide an example, let's suppose the *chown category of
rules:
* the "all-in-one" case:
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=500 -F auid!=4294967295 -k perm_mod
vs
* the "one-rule-per-one-row" case:
The first is the recommended format and that is also the way that all sample
rules, such as the stig.rules, is written.
-a always,exit -F arch=b32 -S chown -F auid>=500 -F
auid!=4294967295 -k
perm_mod -a always,exit -F arch=b32 -S fchown -F auid>=500 -F
auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchownat -F
auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S
lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
Does the fact how the -S arguments are layered across the
/etc/audit/audit.rules file (IOW if being provided within one row or spread
within multiple rows) have some (negative) impact on the audit system's
efficiency? [*] If so, is there some way how to measure the performance
penalty in the second case?
Yes. We have done it in the past to come up with the current recommendation.
-Steve