Sycall Rules vs Watch Rules

Amjad Gabbar amjadgabbar11 at gmail.com
Tue Sep 12 21:20:54 UTC 2023 

So,

Based on this and some experiments I have been performing, I would suggest
changing how a lot of the FileSystem rules are written and illustrated.
Ex -
https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules#L34-L35

The rule in the repository is
-a always,exit -F path=/etc/sudoers -F perm=wa -F
key=10.2.2-priv-config-changes

My suggestion is to instead change the rule based on the permissions
defined. The above rule would change to the following based on the kernel
being used.
-a always,exit -S <list of syscalls in audit_write.h and audit_read.h
+open,openat> -F path=/etc/sudoers -F perm=wa -F
key=10.2.2-priv-config-changes

This is higher performance because we are limiting the syscalls instead of
making use of -S all which has more paths of evaluation for each and every
syscall.

Same thing for watches. Watches are inherently -S all rules which are very
performance intensive.
https://github.com/linux-audit/audit-userspace/blob/1482cec74f2d9472f81dd4f0533484bd0c26decd/lib/libaudit.c#L805

Ideally we should limit the syscalls based on the permissions being used.

I have implemented the same in my environment rules and have noticed a
massive performance difference with no difference in the events being
logged since we anyways filter eventually based on the permissions.

Let me know what you all think.

Ali Adnan.





On Wed, Sep 6, 2023 at 2:58 PM Richard Guy Briggs <rgb at redhat.com> wrote:

> On 2023-09-06 10:56, Amjad Gabbar wrote:
> > Hi,
> >
> > I have done some analysis and digging into how both the watch rules and
> > syscall rules are translated.
> >
> > From my understanding, in terms of logging, both the below rules are
> > similar. There is no difference in either of the rules.
> >
> > 1. -w /etc -p wa -k ETC_WATCH
>
> They are similar in this case.
> -w behaves differently depending on the existance of the watched entity
> and the presence of a trailing "/".  This is why the form above is
> deprecated.
>
> > 2. -a always,exit -F arch=b64 -S <all syscalls part of the write and attr
> > classes> -F dir=/etc  -F perm=wa -k ETC_WATCH
> >
> > The write and attr classes consist of syscalls in
> > “include/asm-generic/audit_*.h“.
> >
> >  The perm flag is needed in the second case for including open/openat
> > syscalls which are not a part of the write and attr syscall list.
> >
> > I'd like to verify if what I mentioned earlier is accurate, and I have an
> > additional point but depends on whether this is accurate.
> >
> > Ali
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> Upstream IRC: SunRaycer
> Voice: +1.613.860 2354 SMS: +1.613.518.6570
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230912/70fd0ecd/attachment.htm>

More information about the Linux-audit mailing list