Re: Sycall Rules vs Watch Rules
Hello,
On Tuesday, September 12, 2023 5:20:54 PM EDT Amjad Gabbar wrote:
Based on this and some experiments I have been performing, I would
suggest
changing how a lot of the FileSystem rules are written and illustrated.
Ex -
https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss
-v31.rules#L34-L35
The rule in the repository is
-a always,exit -F path=/etc/sudoers -F perm=wa -F
key=10.2.2-priv-config-changes
My suggestion is to instead change the rule based on the permissions
defined. The above rule would change to the following based on the kernel
being used.
-a always,exit -S <list of syscalls in audit_write.h and audit_read.h
+open,openat> -F path=/etc/sudoers -F perm=wa -F
key=10.2.2-priv-config-changes
That should be exactly what the kernel does with the perm fields. The perm
fields select the right system calls that should be reported on.
This is higher performance because we are limiting the syscalls
instead of
making use of -S all which has more paths of evaluation for each and every
syscall.
Same thing for watches. Watches are inherently -S all rules which are very
performance intensive.
https://github.com/linux-audit/audit-userspace/blob/1482cec74f2d9472f81dd4f
0533484bd0c26decd/lib/libaudit.c#L805
There should be no difference in performance between watches and syscall
based file auditing.
Ideally we should limit the syscalls based on the permissions being
used.
I have implemented the same in my environment rules and have noticed a
massive performance difference with no difference in the events being
logged since we anyways filter eventually based on the permissions.
Let me know what you all think.
I'm looking into this more. I see a 1 line change that I am testing.
-Steve
On Wed, Sep 6, 2023 at 2:58 PM Richard Guy Briggs
<rgb(a)redhat.com> wrote:
> On 2023-09-06 10:56, Amjad Gabbar wrote:
> > Hi,
> >
> > I have done some analysis and digging into how both the watch rules and
> > syscall rules are translated.
> >
> > From my understanding, in terms of logging, both the below rules are
> > similar. There is no difference in either of the rules.
> >
> > 1. -w /etc -p wa -k ETC_WATCH
>
> They are similar in this case.
> -w behaves differently depending on the existance of the watched entity
> and the presence of a trailing "/". This is why the form above is
> deprecated.
>
> > 2. -a always,exit -F arch=b64 -S <all syscalls part of the write and
> > attr
> > classes> -F dir=/etc -F perm=wa -k ETC_WATCH
> >
> > The write and attr classes consist of syscalls in
> > “include/asm-generic/audit_*.h“.
> >
> > The perm flag is needed in the second case for including open/openat
> >
> > syscalls which are not a part of the write and attr syscall list.
> >
> > I'd like to verify if what I mentioned earlier is accurate, and I have
> > an
> > additional point but depends on whether this is accurate.
> >
> > Ali
>
> - RGB
>
> --
> Richard Guy Briggs <rgb(a)redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> Upstream IRC: SunRaycer
> Voice: +1.613.860 2354 SMS: +1.613.518.6570