Hello,
I will be forking the user space audit code soon to start the next major
series. I have a couple thoughts I'd like to share with people to see what
they think.
The first item is doing away with the entry filter for syscall auditing. You
normally run across this filter when you write rules such as:
-a always,entry -S open
The reason I think we can do away with it is that its purpose has changed. Way
back in the early days 2.6.6 -> 2.6.15 kernels, there was this notion that
the audit code could be made to have little impact on the performance of the
system if we give hints about what is needed by using "possible" actions.
The problem with "possible" was that people forgot to use it and had exit
filter rules that had no data to operate on. So, we changed the kernel to
always collect the data it needed in case an exit filter would trigger an
event. This was optimized and performance was pretty good. So, that kind of
left the entry filter without a purpose.
Any entry rule can be written as an exit rule. But not every exit rule can be
written as an entry rule. So the logical choice is to consolidate on the exit
filter. The reason to do this is to improve performance. If we have an entry
rule that triggers, it marks the syscall excursion as auditable. When we get
to the exit filter, it iterates over the whole set of rules even though the
event is auditable. This is because there could be a never rule that would
suppress the output. Another problem introduced by having two filters is that
some fields are not available in the entry filter (exit for example), it adds
complexity in the auditctl program and the in-kernel rule parser to look for
these errors.
The way that we could make the change is for the audit package to silently
convert entry rules to exit in user space. It could output a warning that
entry rules are being converted and the admin should make the necessary
adjustments. Then after some time has elapsed so that distros have all
updated, drop support in the kernel for the entry filter.
Let's discuss...
Thanks,
-Steve