Implementing audit rules (/etc/audit/audit.rules) effectively
Steve Grubb
sgrubb at redhat.com
Wed Nov 5 18:51:59 UTC 2014
On Wednesday, November 05, 2014 01:39:11 PM Jan Lieskovsky wrote:
> Hello folks,
>
> within the effort to provide an implementation for some task
> implying from my daily job recently I started to face the following
> question related with auditd - how to write audit rules in most
> effective way. I am mainly interested if there's some comparison / research
> wrt to if there's is some performance penalty when (syscall, but
> in general case doesn't need to be limited to syscall calls) audit
> rules are created in the way having just one syscall rule (one -S argument
> is provided per audit rule) versus the case when there are more
> (compatible) -S arguments provided simultaneously in the particular
> audit.rules row?
Yes there has. The answer is combine as many syscalls as possible into each
rule. To see why, look at this code:
http://lxr.free-electrons.com/source/kernel/auditsc.c#L747
Basically you have a for loop over each rule and on line 765 it checks by
"anding" the syscalls in the rule. If no match iterate again. So, by
increasing the rules, you increase the iterating for each and every syscall
made whether its of interest or not.
> To provide an example, let's suppose the *chown category of rules:
> * the "all-in-one" case:
>
> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=500 -F auid!=4294967295 -k perm_mod
>
> vs
>
> * the "one-rule-per-one-row" case:
The first is the recommended format and that is also the way that all sample
rules, such as the stig.rules, is written.
> -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k
> perm_mod -a always,exit -F arch=b32 -S fchown -F auid>=500 -F
> auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchownat -F
> auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S
> lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
>
> Does the fact how the -S arguments are layered across the
> /etc/audit/audit.rules file (IOW if being provided within one row or spread
> within multiple rows) have some (negative) impact on the audit system's
> efficiency? [*] If so, is there some way how to measure the performance
> penalty in the second case?
Yes. We have done it in the past to come up with the current recommendation.
-Steve
More information about the Linux-audit
mailing list