Hi, Just wanted to follow up wrt the previous findings and experiments and what some of your thoughts are on the suggested optimizations.
Regards Ali On Tue, Sep 12, 2023 at 4:20 PM Amjad Gabbar <amjadgabba...@gmail.com> wrote: > So, > > Based on this and some experiments I have been performing, I would suggest > changing how a lot of the FileSystem rules are written and illustrated. > Ex - > https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules#L34-L35 > > The rule in the repository is > -a always,exit -F path=/etc/sudoers -F perm=wa -F > key=10.2.2-priv-config-changes > > My suggestion is to instead change the rule based on the permissions > defined. The above rule would change to the following based on the kernel > being used. > -a always,exit -S <list of syscalls in audit_write.h and audit_read.h > +open,openat> -F path=/etc/sudoers -F perm=wa -F > key=10.2.2-priv-config-changes > > This is higher performance because we are limiting the syscalls instead of > making use of -S all which has more paths of evaluation for each and every > syscall. > > Same thing for watches. Watches are inherently -S all rules which are very > performance intensive. > > https://github.com/linux-audit/audit-userspace/blob/1482cec74f2d9472f81dd4f0533484bd0c26decd/lib/libaudit.c#L805 > > Ideally we should limit the syscalls based on the permissions being used. > > I have implemented the same in my environment rules and have noticed a > massive performance difference with no difference in the events being > logged since we anyways filter eventually based on the permissions. > > Let me know what you all think. > > Ali Adnan. > > > > > > On Wed, Sep 6, 2023 at 2:58 PM Richard Guy Briggs <r...@redhat.com> wrote: > >> On 2023-09-06 10:56, Amjad Gabbar wrote: >> > Hi, >> > >> > I have done some analysis and digging into how both the watch rules and >> > syscall rules are translated. >> > >> > From my understanding, in terms of logging, both the below rules are >> > similar. There is no difference in either of the rules. >> > >> > 1. -w /etc -p wa -k ETC_WATCH >> >> They are similar in this case. >> -w behaves differently depending on the existance of the watched entity >> and the presence of a trailing "/". This is why the form above is >> deprecated. >> >> > 2. -a always,exit -F arch=b64 -S <all syscalls part of the write and >> attr >> > classes> -F dir=/etc -F perm=wa -k ETC_WATCH >> > >> > The write and attr classes consist of syscalls in >> > “include/asm-generic/audit_*.h“. >> > >> > The perm flag is needed in the second case for including open/openat >> > syscalls which are not a part of the write and attr syscall list. >> > >> > I'd like to verify if what I mentioned earlier is accurate, and I have >> an >> > additional point but depends on whether this is accurate. >> > >> > Ali >> >> - RGB >> >> -- >> Richard Guy Briggs <r...@redhat.com> >> Sr. S/W Engineer, Kernel Security, Base Operating Systems >> Remote, Ottawa, Red Hat Canada >> Upstream IRC: SunRaycer >> Voice: +1.613.860 2354 SMS: +1.613.518.6570 >> >>
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit