Sycall Rules vs Watch Rules

Amjad Gabbar amjadgabbar11 at gmail.com
Fri Sep 15 06:00:39 UTC 2023 

Hi,

Just wanted to follow up wrt the previous findings and experiments and what
some of your thoughts are on the suggested optimizations.

Regards
Ali

On Tue, Sep 12, 2023 at 4:20 PM Amjad Gabbar <amjadgabbar11 at gmail.com>
wrote:

> So,
>
> Based on this and some experiments I have been performing, I would suggest
> changing how a lot of the FileSystem rules are written and illustrated.
> Ex -
> https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules#L34-L35
>
> The rule in the repository is
> -a always,exit -F path=/etc/sudoers -F perm=wa -F
> key=10.2.2-priv-config-changes
>
> My suggestion is to instead change the rule based on the permissions
> defined. The above rule would change to the following based on the kernel
> being used.
> -a always,exit -S <list of syscalls in audit_write.h and audit_read.h
> +open,openat> -F path=/etc/sudoers -F perm=wa -F
> key=10.2.2-priv-config-changes
>
> This is higher performance because we are limiting the syscalls instead of
> making use of -S all which has more paths of evaluation for each and every
> syscall.
>
> Same thing for watches. Watches are inherently -S all rules which are very
> performance intensive.
>
> https://github.com/linux-audit/audit-userspace/blob/1482cec74f2d9472f81dd4f0533484bd0c26decd/lib/libaudit.c#L805
>
> Ideally we should limit the syscalls based on the permissions being used.
>
> I have implemented the same in my environment rules and have noticed a
> massive performance difference with no difference in the events being
> logged since we anyways filter eventually based on the permissions.
>
> Let me know what you all think.
>
> Ali Adnan.
>
>
>
>
>
> On Wed, Sep 6, 2023 at 2:58 PM Richard Guy Briggs <rgb at redhat.com> wrote:
>
>> On 2023-09-06 10:56, Amjad Gabbar wrote:
>> > Hi,
>> >
>> > I have done some analysis and digging into how both the watch rules and
>> > syscall rules are translated.
>> >
>> > From my understanding, in terms of logging, both the below rules are
>> > similar. There is no difference in either of the rules.
>> >
>> > 1. -w /etc -p wa -k ETC_WATCH
>>
>> They are similar in this case.
>> -w behaves differently depending on the existance of the watched entity
>> and the presence of a trailing "/".  This is why the form above is
>> deprecated.
>>
>> > 2. -a always,exit -F arch=b64 -S <all syscalls part of the write and
>> attr
>> > classes> -F dir=/etc  -F perm=wa -k ETC_WATCH
>> >
>> > The write and attr classes consist of syscalls in
>> > “include/asm-generic/audit_*.h“.
>> >
>> >  The perm flag is needed in the second case for including open/openat
>> > syscalls which are not a part of the write and attr syscall list.
>> >
>> > I'd like to verify if what I mentioned earlier is accurate, and I have
>> an
>> > additional point but depends on whether this is accurate.
>> >
>> > Ali
>>
>> - RGB
>>
>> --
>> Richard Guy Briggs <rgb at redhat.com>
>> Sr. S/W Engineer, Kernel Security, Base Operating Systems
>> Remote, Ottawa, Red Hat Canada
>> Upstream IRC: SunRaycer
>> Voice: +1.613.860 2354 SMS: +1.613.518.6570
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230915/81e8c389/attachment.htm>

More information about the Linux-audit mailing list