Re: Clarification Around File System Auditing

Hello, On Tuesday, February 14, 2023 3:55:58 PM EST Amjad Gabbar wrote: > Thanks for the reply. > I was trying to evaluate the same via Flamegraphs and what I noticed was > that : > > 1. Despite deleting all rules (auditctl -D), there were still calls to > audit_filter_syscall() on each syscall. I assume this is because syscall > auditing is enabled and despite no rules, there still will be some > performance impact and calls to syscall filtering functions on each > syscall. Yes. > 2. For a single watch rule as well without any syscall rules, I could see > calls to audit_filter_syscall() followed by audit_filter_rules() for > unrelated syscalls such as futex() and recvmsg() - not present in > include/asm-generic/audit_*.h > Why would these functions be called for a single watch rule for syscalls > unrelated to the permissions? If auditing is enabled, it will go into the syscall filter for *any* syscall. It will go into __audit_syscall_exit for every syscall. If there is an audit context, it will go into audit_filter_syscall. The documentation in the comments above these functions is informative. My guess is that this code path might benefit from adding a list_empty check. A long time ago, I think we kept a variable that denoted if there were any rules and short-circuited if none.

-Steve > On Tue, Feb 14, 2023 at 8:29 AM Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > > Hello, > > > > On Monday, February 13, 2023 4:24:02 PM EST Amjad Gabbar wrote: > > > I wanted some help in better understanding the workflow of file system > > > auditing(watch rules) vs Syscall Auditing(syscall rules). I know in > > > > general > > > > > file system auditing does not have the same performance impact as > > > syscall > > > auditing, even though both make use of syscall exits for their > > > > evaluation. > > > > > From the manpage - "Unlike most syscall auditing rules, watches do not > > > impact performance based on the number of rules sent to the kernel." > > > > > > From a previous thread, I found this excerpt regarding file watch rules > > > > vs > > > > > sycall rules - > > > > > > "The reason it doesn't have performance impact like normal syscall > > > rules > > > > is > > > > > because it gets moved to a list that is not evaluated every syscall. A > > > normal syscall rule will get evaluated for every syscall because it has > > > > to > > > > > see if the syscall number is of interest and then it checks the next > > > rule." > > > > > > Based on this I had a couple of questions: > > > > > > For normal syscall rules, the evaluation happens as > > > __audit_syscall_exit > > > <https://elixir.bootlin.com/linux/v6.1.10/C/ident/__audit_syscall_exit> > > > calls audit_filter_syscall > > > (https://elixir.bootlin.com/linux/v6.1.10/source/kernel/auditsc.c#L841) > > > > > > Here, we check if the syscall is of interest or not in the > > > audit_in_mask > > > <https://elixir.bootlin.com/linux/v6.1.10/C/ident/audit_in_mask> > > > > function. > > > > > Only if the syscall is of interest do we proceed with examining the > > > task > > > and return on the first rule match. > > > > > > 1. What is the process or code path for watch rules? > > > audit_filter_syscall > > > <https://elixir.bootlin.com/linux/v6.1.10/C/ident/audit_filter_syscall> > > > > is > > > > > called for watch rules as well. Then how is it that these are not > > > called > > > for every syscall? Could you point me to the code where the evaluation > > > happens only once? > > > > There is a file, kernel/audit_watch.c, that implements the interface > > between > > audit and fsnotify. You would want to learn how fsnotify works to > > understand > > how it avoids the syscall filter. > > > > > 2. Also, do file watches only involve the open system call family > > > (open, > > > openat etc). The man page implies the same, so just wanted to confirm. > > > > > > I assume -w /etc -p wa is the same as -a always,exit -S open -S openat > > > -F > > > dir=/etc? > > > > It depends on the flag passed for perm as to what syscall it wants. See: > > > > include/asm-generic/audit_*.h > > > > -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit