From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
"linux-audit@redhat.com" <linux-audit@redhat.com>,
"Sverdlin,
Alexander (Nokia - DE/Ulm)" <alexander.sverdlin@nokia.com>,
Richard Guy Briggs <rbriggs@redhat.com>
Subject: Re: [PATCH] audit: always enable syscall auditing when supported and audit is enabled
Date: Mon, 28 Jan 2019 21:03:28 +0100 [thread overview]
Message-ID: <20190128210328.64b7719c@ivy-bridge> (raw)
In-Reply-To: <CAHC9VhR25UdWPSRurefEX3YjM80DEh5BXETvK4na3Ym+k2=9xQ@mail.gmail.com>
On Mon, 28 Jan 2019 11:26:51 -0500
Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Jan 28, 2019 at 10:38 AM Sverdlin, Alexander (Nokia - DE/Ulm)
> <alexander.sverdlin@nokia.com> wrote:
> > Hello Paul,
> >
> > On 28/01/2019 15:52, Paul Moore wrote:
> > >>>>> time also enables syscall auditing; this patch simplifies the
> > >>>>> Kconfig menus by removing the option to disable syscall
> > >>>>> auditing when audit is selected and the target arch supports
> > >>>>> it.
> > >>>>>
> > >>>>> Signed-off-by: Paul Moore <pmoore@redhat.com>
> > >>>> this patch is responsible for massive performance degradation
> > >>>> for those who used only CONFIG_SECURITY_APPARMOR.
> > >>>>
> > >>>> And the numbers are, take the following test for instance:
> > >>>>
> > >>>> dd if=/dev/zero of=/dev/null count=2M
> > >>>>
> > >>>> ARM64: 500MB/s -> 350MB/s
> > >>>> ARM: 400MB/s -> 300MB/s
> > >>> Hi there.
> > >>>
> > >>> Out of curiosity, what kernel/distribution are you running, or
> > >>> is this a custom kernel compile? Can you also share the output
> > >>> of 'auditctl
> > >> This test was carried out with Linux 4.9. Custom built.
> > > I suspected that was the case, thanks.
> > >
> > >>> -l' from your system? The general approach taken by everyone to
> > >>> turn-off the per-syscall audit overhead is to add the "-a
> > >>> never,task" rule to their audit configuration:
> > >>>
> > >>> # auditctl -a never,task
> > >>>
> > >>> If you are using Fedora/CentOS/RHEL, or a similarly configured
> > >>> system,
> > >> This is an embedded distribution. We are not using auditctl or
> > >> any other audit-related user-space packages.
> > >>
> > >>> you can find this configuration in the /etc/audit/audit.rules
> > >>> file (be warned, that file is automatically generated based on
> > >>> /etc/audit/rules.d).
> > >> I suppose in this case rule list must be empty. Is there a way
> > >> to check this without extra user-space packages?
> > > Yes, unless you are loading rules through some other method I
> > > would expect that your audit rule list is empty.
> > >
> > > I'm not aware of any other tools besides auditctl to load audit
> > > rules into the kernel, although I haven't ever had a need for
> > > another tool so I haven't looked very hard. If you didn't want
> > > to bring auditctl into your distribution, I expect it would be a
> > > rather trivial task to create a small tool to load a single "-a
> > > never,task" into the kernel.
> >
> > I've done a quick test on my x86_64 PC and got the following
> > results:
>
> ...
>
> > Which brings me to an idea, that the subject patch should have been
> > accompanied by a default "never,task" rule inside the kernel,
> > otherwise you require an extra user-space package (audit) just to
> > bring Linux 4.5+ to 4.4 performance levels.
>
> [NOTE: I dropped pmoore@redhat.com from the To/CC line, I left Red Hat
> for greener pastures several months ago.]
>
> Well, it generally hasn't been an issue as 1) most people that enable
> audit also enable syscall auditing and 2) most people that enable
> audit have some sort of audit userspace tools to work with the audit
> logs (and configure audit if necessary). I don't want to diminish
> your report, but this change was made several years ago and we really
> haven't heard of many issues surrounding the change. If we can ever
> get all of the different arches to support syscall auditing, I'd love
> to get rid of the syscall auditing Kconfig knob entirely.
>
> If you wanted to put together a patch that added a single "-a
> never,task" rule on boot I could get behind that, just make it default
> to off.
That will make processes unauditable for everyone. That's how it gets a
speedup is not entering into the audit machinery. I suppose its
possible that people may want MAC hardwired events but no syscall
events. I don't know if there are other kconfig audit options. but
maybe getting it down to audit enabled and syscall auditing as the only
choices is probably the most performant.
-Steve
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: "Sverdlin,
Alexander (Nokia - DE/Ulm)" <alexander.sverdlin@nokia.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
"linux-audit@redhat.com" <linux-audit@redhat.com>,
Richard Guy Briggs <rbriggs@redhat.com>
Subject: Re: [PATCH] audit: always enable syscall auditing when supported and audit is enabled
Date: Mon, 28 Jan 2019 21:03:28 +0100 [thread overview]
Message-ID: <20190128210328.64b7719c@ivy-bridge> (raw)
In-Reply-To: <CAHC9VhR25UdWPSRurefEX3YjM80DEh5BXETvK4na3Ym+k2=9xQ@mail.gmail.com>
On Mon, 28 Jan 2019 11:26:51 -0500
Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Jan 28, 2019 at 10:38 AM Sverdlin, Alexander (Nokia - DE/Ulm)
> <alexander.sverdlin@nokia.com> wrote:
> > Hello Paul,
> >
> > On 28/01/2019 15:52, Paul Moore wrote:
> > >>>>> time also enables syscall auditing; this patch simplifies the
> > >>>>> Kconfig menus by removing the option to disable syscall
> > >>>>> auditing when audit is selected and the target arch supports
> > >>>>> it.
> > >>>>>
> > >>>>> Signed-off-by: Paul Moore <pmoore@redhat.com>
> > >>>> this patch is responsible for massive performance degradation
> > >>>> for those who used only CONFIG_SECURITY_APPARMOR.
> > >>>>
> > >>>> And the numbers are, take the following test for instance:
> > >>>>
> > >>>> dd if=/dev/zero of=/dev/null count=2M
> > >>>>
> > >>>> ARM64: 500MB/s -> 350MB/s
> > >>>> ARM: 400MB/s -> 300MB/s
> > >>> Hi there.
> > >>>
> > >>> Out of curiosity, what kernel/distribution are you running, or
> > >>> is this a custom kernel compile? Can you also share the output
> > >>> of 'auditctl
> > >> This test was carried out with Linux 4.9. Custom built.
> > > I suspected that was the case, thanks.
> > >
> > >>> -l' from your system? The general approach taken by everyone to
> > >>> turn-off the per-syscall audit overhead is to add the "-a
> > >>> never,task" rule to their audit configuration:
> > >>>
> > >>> # auditctl -a never,task
> > >>>
> > >>> If you are using Fedora/CentOS/RHEL, or a similarly configured
> > >>> system,
> > >> This is an embedded distribution. We are not using auditctl or
> > >> any other audit-related user-space packages.
> > >>
> > >>> you can find this configuration in the /etc/audit/audit.rules
> > >>> file (be warned, that file is automatically generated based on
> > >>> /etc/audit/rules.d).
> > >> I suppose in this case rule list must be empty. Is there a way
> > >> to check this without extra user-space packages?
> > > Yes, unless you are loading rules through some other method I
> > > would expect that your audit rule list is empty.
> > >
> > > I'm not aware of any other tools besides auditctl to load audit
> > > rules into the kernel, although I haven't ever had a need for
> > > another tool so I haven't looked very hard. If you didn't want
> > > to bring auditctl into your distribution, I expect it would be a
> > > rather trivial task to create a small tool to load a single "-a
> > > never,task" into the kernel.
> >
> > I've done a quick test on my x86_64 PC and got the following
> > results:
>
> ...
>
> > Which brings me to an idea, that the subject patch should have been
> > accompanied by a default "never,task" rule inside the kernel,
> > otherwise you require an extra user-space package (audit) just to
> > bring Linux 4.5+ to 4.4 performance levels.
>
> [NOTE: I dropped pmoore@redhat.com from the To/CC line, I left Red Hat
> for greener pastures several months ago.]
>
> Well, it generally hasn't been an issue as 1) most people that enable
> audit also enable syscall auditing and 2) most people that enable
> audit have some sort of audit userspace tools to work with the audit
> logs (and configure audit if necessary). I don't want to diminish
> your report, but this change was made several years ago and we really
> haven't heard of many issues surrounding the change. If we can ever
> get all of the different arches to support syscall auditing, I'd love
> to get rid of the syscall auditing Kconfig knob entirely.
>
> If you wanted to put together a patch that added a single "-a
> never,task" rule on boot I could get behind that, just make it default
> to off.
That will make processes unauditable for everyone. That's how it gets a
speedup is not entering into the audit machinery. I suppose its
possible that people may want MAC hardwired events but no syscall
events. I don't know if there are other kconfig audit options. but
maybe getting it down to audit enabled and syscall auditing as the only
choices is probably the most performant.
-Steve
next prev parent reply other threads:[~2019-01-28 20:03 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-08 16:42 [PATCH] audit: always enable syscall auditing when supported and audit is enabled Paul Moore
2015-12-08 20:50 ` Richard Guy Briggs
2019-01-28 8:34 ` Sverdlin, Alexander (Nokia - DE/Ulm)
2019-01-28 14:19 ` Paul Moore
2019-01-28 14:36 ` Sverdlin, Alexander (Nokia - DE/Ulm)
2019-01-28 14:52 ` Paul Moore
2019-01-28 15:38 ` Sverdlin, Alexander (Nokia - DE/Ulm)
2019-01-28 16:26 ` Paul Moore
2019-01-28 20:03 ` Steve Grubb [this message]
2019-01-28 20:03 ` Steve Grubb
2019-01-28 20:08 ` Paul Moore
2019-01-28 21:19 ` Steve Grubb
2019-01-28 21:49 ` Richard Guy Briggs
2019-01-28 22:01 ` Paul Moore
2019-01-28 14:45 ` Sverdlin, Alexander (Nokia - DE/Ulm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190128210328.64b7719c@ivy-bridge \
--to=sgrubb@redhat.com \
--cc=alexander.sverdlin@nokia.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rbriggs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.