Hello, On Thursday, July 25, 2024 11:26:50 AM EDT brian.hendri...@lmco.com wrote: > You can use the -c option to continue loading rules in spite of an error. > That’s helped us maintain generic rules files that we push out to hundreds > of Linux systems where there are a few cases when some of those systems > did not have some files that were generated on a baseline system using the > sample 31-privileged.rules find/filecap commands.
Sure, that might help. > Steve, I was curious about your statement that the documentation was > updated to reflect deprecation of the -w file watch option, and indeed the > man page examples have been updated but the sample rules files that come > with RHEL 8 and 9 still have -w watch syntax. For instance, > 30-nispom.rules and 30-stig.rules have several -w file watch rules. I think it's just a matter of getting an updated package. Meaning, it may not have been pushed through the system and out to everyone. I had been ambivalent about whether to use '-w' or -F path' notation. I have always told people the latter was the way forward because you can do fancier matching. Then about a year ago [1], someone showed up with a performance problem. After understand the nature of the problem it became very clear that the audit rules were impacting system performance more than intended. The fix was to have per permission syscall lookup tables [2] so that we target exactly the syscalls that might do an execute or modify file attributes. I left '-w' as is since it was legacy. I then updated the rules to change over to '-F path' to ensure all rules were performant [3]. The nispom rules are deprecated as of the 4.0 release. This performance improvement is in the 3.1.3 release. The correct syntax that matches the '-w' notation is: -a always,exit -F arch=b64 -F perm=w -F path=/etc/shadow -F key=write > We follow DoD guidance for STIG hardening and usually start with the RHEL > sample rules and build on top of them. Now that I know the -w syntax is > deprecated I will convert the ones imported from the sample rules into -F > style syntax. One day when 3.1.3 or later is available, your systems should run faster. -Steve 1 - https://lore.kernel.org/linux-audit/CAJcJf=qjygrr_+pjekytcuj+kk2wpcuh-lkfdtq_0jj1k-e...@mail.gmail.com/T/#m1270481de67838a30bae509c778a3dc4da5338f8 2 - commit 74274c9acb9a786d4430e5440c7e74058975fa2f 3 - commit 614f7d1f4755ec24927b2613c0919110fb7acc37 > From: Michael McKinley via Linux-audit > <linux-audit@lists.linux-audit.osci.io> Sent: Tuesday, July 23, 2024 5:25 > PM > To: Steve Grubb <sgr...@redhat.com> > Cc: Linux-audit <linux-audit@lists.linux-audit.osci.io> > Subject: EXTERNAL: Re: Linux Audit Syscall Monitoring Error > > > Based on the performance enhancements it would be preferable to use syscall > monitors to monitor the directory. > But the limitation of having the rule not load, as well as any following > rules not load when the directory is not present is effectively a > non-start. > The downside is -w style rules are deprecated and while they appear to > support -F style options they aren’t explicitly supported. > So we are left with a situation where we either try and pursue -s style, > which can lead to rules breaking, or -w style, which is legacy, and we are > using -w style in a way that it was not intended to be used, per the docs. > I haven’t had time to read the code on this specific implementation. > Ideally, -s style does a dir check instead of failing to load the rule+ > rules following. > - Michael > On Tue, July 23 2024 at 4:15 PM Steve Grubb > <sgr...@redhat.com><mailto:sgr...@redhat.com> wrote: Hello, > > On Tuesday, July 23, 2024 9:57:39 AM EDT Michael McKinley wrote: > > > Auditctl version 3.0.7 > > Kernel 6.5.0-44-generic. > > > ok > > > > That extra check on if the directory exists may be the core difference. > > What is interesting is the -w version seems to honor the rule filter > > given (-F exe!=/usr/bin/example). > > > I looked at the watch code. It appears to go back to at least 2008. You > can use whichever notation works for your problem. But the -w rule syntax > is deprecated. All watches in the sample rules have been switched over > quite some time ago. > > That said, a watch is set for all syscalls. Starting in 3.1.3, the -F > style rules target specific syscalls based on the perm option. The impact > of an 'all' rule is small but measurable across the whole system and this > is why perms are now used to select the syscalls. It makes the whole > system run faster. > > For example, with a -w rule, if any program makes a call to read, the > kernel rule matching engine will have to check this rule to see if it > matches. Whereas with the -F style of rule, read is not chosen so this > rule is skipped. > > -Steve > > > > > On Mon, July 22 2024 at 6:06 PM Steve Grubb > > <sgr...@redhat.com<mailto:sgr...@redhat.com>> wrote: > > > > > > > > > > > > Hello, > > > > > > > > On Monday, July 22, 2024 4:00:37 PM EDT Michael McKinley via Linux-audit > > > > > > > > wrote: > > > > > I believe I’ve come across a bug in Linux audit when writing syscall > > > monitors for a directory. > > > > > > > > > > > > File watchers are suggested to be syscall rules under the hood. I > > > don’t > > > believe this is true, based on the different behavior of syscall rules > > > and > > > file watcher rules when monitoring directories that don’t exist. > > > Suggested > > > to be equivalent per auditctl(8):-w /tmp/fakedir -p warx -k test1 -s > > > always, exit -F dir=/tmp/fakedir -F perm=warx -k test2 > > > > > > > > It might be good to know what version of the audit package (auditctl -v) > > you are using and the version of the kernel (uname -r). They were > > different once upon a time. > > > > > > > > > What will happen if the dir doesn’t exist in case 1 is the rule loads > > > and > > > continues. In case 2, the rule will fail to load, thus failing to load > > > all > > > rules below it. > > > > > > > > In the current code, when it find a 'w' option, it calls stat on the > > directory to ensure it is there. If it is, it converts the call to > > syscall auditing on all syscalls. This gets refined when it finds the > > -perm field.> > > > > > > When it finds a 'S', it adds the syscall without any checks. When it > > finds '-F dir=' it verifies the filter that it's being placed on but no > > other path checks are done. > > > > > > > > That means the -w version is more strict and needs a directory to exist > > when the rule loads. The code in this area is probably at least 15 years > > old without much reworking. > > > > > > > > > The auditctl(8) > > > Per the auditctl(8) man page -F (rule fields) are not supported by > > > watchers. This doesn’t appear to be true any longer, as watchers do > > > seem > > > to honor -F (extensive testing not performed). > > > > > > > > My man page differs. It says: > > > > > > > > The -w form of writing watches is for backwards compatibility and is > > deprecated due to poor system performance. Convert watches of this > > form to the syscall based form. > > > > > > > > > Any insight or suggestions? I am considering using a watcher with rule > > > fields despite it not being officially supported due to the loading > > > error > > > with syscalls. > > > > > > > > I'd be curious what versions you are using. > > > > > > > > -Steve > > > > _______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
