Sycall Rules vs Watch Rules

Amjad Gabbar amjadgabbar11 at gmail.com
Sun Oct 8 04:46:30 UTC 2023 

Tested out all different combinations and performed performance experiments
and tests using different permutations and combinations of rules.

Can confirm the changes work as expected.

1. The old -w rule format is slower since it encompasses 'all' syscalls. A
warning is emitted on using the -w notation that 'Old style watch rules are
slower'.

2. On making use of the syscall format but without specifying the arch, a
warning is emitted - 'perm used without an arch is slower`.
The rules are similar to the old style -w watch rules encompassing 'all'
syscalls and hampering performance significantly.

3. On specifying an arch with the syscall format, the respective syscalls
are added based on the permissions field. Tested all different permissions
to ensure that the respective syscalls are added.
Works as expected and massively improves performance as well.

Thanks for working together on this. Hopefully the end users are able to
see the boost in performance post these changes.

Regards
Ali Adnan

On Fri, Sep 29, 2023 at 11:39 AM Amjad Gabbar <amjadgabbar11 at gmail.com>
wrote:

> Sounds good. I will test this out.
>
> Regards
> Ali Adnan
>
> On Thu, Sep 28, 2023 at 11:30 AM Steve Grubb <sgrubb at redhat.com> wrote:
>
>> On Thursday, September 28, 2023 11:53:26 AM EDT Steve Grubb wrote:
>> > On Thursday, September 21, 2023 4:02:49 PM EDT Amjad Gabbar wrote:
>> > > > The best solution would be a kernel modification so that there are
>> no
>> > > > mismatched lists.
>> > >
>> > > I agree as well....This would be the cleanest solution. This would
>> also
>> > > solve the userspace problem of maintaining different lists which can
>> get
>> > > out of hand fairly quickly.
>> >
>> > After looking into this, a kernel patch would also not work well. It
>> has to
>> > be arch specific
>> >
>> > > > I guess we can warn on that to rewrite in syscall notation.
>> > >
>> > > We certainly should. I think the user should know that there is a
>> > > performance cost associated with watches and we should explicitly
>> mention
>> > > how it can be optimized in the manpages also. The reason being I am
>> > > pretty sure, numerous users/repos still do make use of the -w notation
>> > > and we do want to let them know the issue here. We also need to make
>> > > quite a few changes to the manpages also regarding this. Because,
>> > > initially even I was  very confused when reading the man pages and
>> seeing
>> > > the actual implementation of and results were not quite in sync.
>> >
>> > I have made the changes to the master and audit-3.1-maint branches.
>> Please
>> > everyone concerned give them tests. The short of it is that if you use
>> the
>> > '- w' notation for watches, it will remain the same and slower.
>>
>> Actually, ths is the one that draws the warning to urge people to migrate.
>>
>> > If you use
>> > the syscall notation without "-F arch", you will get a warning that it
>> > cannot be optimized without adding "-Farch".
>>
>> Actually, you won't in order to preserve intentional behavior.
>>
>> > If you add "-F arch", you
>> > will possibly need one for both arches which means doubling the rules.
>> If
>> > you do not want to double the rules, you might place a syscall rule for
>> > any 32 system call (21-no32bit.rules). Or you can leave it as is and not
>> > care. The sample rules and all man pages have been updated.
>>
>> I should have provided an example of what this means. If you have this
>> kind
>> of rule:
>>
>> -w /etc/shadow -p wa -k shadow
>>
>> And when applied draws a warning:
>>
>> # auditctl -w /etc/shadow -p wa -k shadow
>> Old style watch rules are slower
>>
>> It should be rewritten as
>>
>> -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F key=shadow
>>
>> Then it looks like this when loaded:
>>
>> #auditctl -l
>> -a always,exit -F arch=b64 -S
>> open,bind,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,chmod,fchmod,chown,fchown,lchown,mknod,acct,swapon,quotactl,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,fallocate,renameat2,openat2
>> -F path=/etc/shadow -F perm=wa -F key=shadow
>>
>> And to delete  the rule,
>> auditctl -d always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F
>> key=shadow
>>
>> or the long way
>>
>> auditctl -d always,exit -F arch=b64 -S
>> open,bind,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,chmod,fchmod,chown,fchown,lchown,mknod,acct,swapon,quotactl,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,fallocate,renameat2,openat2
>> -F path=/etc/shadow -F perm=wa -F key=shadow
>>
>> Hopefully this is clearer what the change is.
>>
>> -Steve
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20231007/85b8553b/attachment.htm>

More information about the Linux-audit mailing list