Hi, > The perm fields select the right system calls > that should be reported on. That is accurate from a functional perspective. There is no change in the events logged. But there is a difference in performance. This is most evident for syscalls not part of the perm fields. Futex is a syscall that I see called fairly often in my system, which is not part of the perm fields. As an example, I selected the ospp rules file to measure performance via a synthetic test- https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules stress-ng —futex 1 —futex-ops 1000000 If we look at the performance numbers for the file rules as is, the auditing percentage is about 14%. Now if we were to just add the specific syscalls that the perm fields filter on in the rules file, the auditing percentage would drop to around 2%. Again this synthetic test is just for demonstration purposes but helps explain the point. Basically for syscalls not part of the perm fields we filter them at a much later stage in the AUDIT_PERM case(due to -S all) whereas if we use specific syscalls within the rule itself, we would exit the processing in audit_filter_syscall itself for uninteresting syscalls, hence improving the performance. >I see a 1 line change that I am testing. Let me know if you need any help. I did have a partial PR ready for submission but wanted to get your opinions before submitting anything. Regards Ali Adnan On Tue, Sep 19, 2023 at 6:33 PM Steve Grubb wrote: > Hello, > > On Tuesday, September 12, 2023 5:20:54 PM EDT Amjad Gabbar wrote: > > Based on this and some experiments I have been performing, I would > suggest > > changing how a lot of the FileSystem rules are written and illustrated. > > Ex - > > > https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss > > -v31.rules#L34-L35 > > > > The rule in the repository is > > -a always,exit -F path=/etc/sudoers -F perm=wa -F > > key=10.2.2-priv-config-changes > > > > My suggestion is to instead change the rule based on the permissions > > defined. The above rule would change to the following based on the kernel > > being used. > > -a always,exit -S > +open,openat> -F path=/etc/sudoers -F perm=wa -F > > key=10.2.2-priv-config-changes > > That should be exactly what the kernel does with the perm fields. The perm > fields select the right system calls that should be reported on. > > > This is higher performance because we are limiting the syscalls instead > of > > making use of -S all which has more paths of evaluation for each and > every > > syscall. > > > > Same thing for watches. Watches are inherently -S all rules which are > very > > performance intensive. > > > https://github.com/linux-audit/audit-userspace/blob/1482cec74f2d9472f81dd4f > > 0533484bd0c26decd/lib/libaudit.c#L805 > > There should be no difference in performance between watches and syscall > based file auditing. > > > Ideally we should limit the syscalls based on the permissions being used. > > > > I have implemented the same in my environment rules and have noticed a > > massive performance difference with no difference in the events being > > logged since we anyways filter eventually based on the permissions. > > > > Let me know what you all think. > > I'm looking into this more. I see a 1 line change that I am testing. > > -Steve > > > On Wed, Sep 6, 2023 at 2:58 PM Richard Guy Briggs > wrote: > > > On 2023-09-06 10:56, Amjad Gabbar wrote: > > > > Hi, > > > > > > > > I have done some analysis and digging into how both the watch rules > and > > > > syscall rules are translated. > > > > > > > > From my understanding, in terms of logging, both the below rules are > > > > similar. There is no difference in either of the rules. > > > > > > > > 1. -w /etc -p wa -k ETC_WATCH > > > > > > They are similar in this case. > > > -w behaves differently depending on the existance of the watched entity > > > and the presence of a trailing "/". This is why the form above is > > > deprecated. > > > > > > > 2. -a always,exit -F arch=b64 -S > > > attr > > > > classes> -F dir=/etc -F perm=wa -k ETC_WATCH > > > > > > > > The write and attr classes consist of syscalls in > > > > “include/asm-generic/audit_*.h“. > > > > > > > > The perm flag is needed in the second case for including open/openat > > > > > > > > syscalls which are not a part of the write and attr syscall list. > > > > > > > > I'd like to verify if what I mentioned earlier is accurate, and I > have > > > > an > > > > additional point but depends on whether this is accurate. > > > > > > > > Ali > > > > > > - RGB > > > > > > -- > > > Richard Guy Briggs > > > Sr. S/W Engineer, Kernel Security, Base Operating Systems > > > Remote, Ottawa, Red Hat Canada > > > Upstream IRC: SunRaycer > > > Voice: +1.613.860 2354 SMS: +1.613.518.6570 > > > > >