Re: Sycall Rules vs Watch Rules

From: Steve Grubb <sgrubb@redhat.com>
To: Amjad Gabbar <amjadgabbar11@gmail.com>, linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com
Subject: Re: Sycall Rules vs Watch Rules
Date: Thu, 28 Sep 2023 12:30:52 -0400	[thread overview]
Message-ID: <3262512.44csPzL39Z@x2> (raw)
In-Reply-To: <4866749.31r3eYUQgx@x2>

On Thursday, September 28, 2023 11:53:26 AM EDT Steve Grubb wrote:
> On Thursday, September 21, 2023 4:02:49 PM EDT Amjad Gabbar wrote:
> > > The best solution would be a kernel modification so that there are no
> > > mismatched lists.
> > 
> > I agree as well....This would be the cleanest solution. This would also
> > solve the userspace problem of maintaining different lists which can get
> > out of hand fairly quickly.
> 
> After looking into this, a kernel patch would also not work well. It has to
> be arch specific
> 
> > > I guess we can warn on that to rewrite in syscall notation.
> > 
> > We certainly should. I think the user should know that there is a
> > performance cost associated with watches and we should explicitly mention
> > how it can be optimized in the manpages also. The reason being I am
> > pretty sure, numerous users/repos still do make use of the -w notation
> > and we do want to let them know the issue here. We also need to make
> > quite a few changes to the manpages also regarding this. Because,
> > initially even I was  very confused when reading the man pages and seeing
> > the actual implementation of and results were not quite in sync.
> 
> I have made the changes to the master and audit-3.1-maint branches. Please
> everyone concerned give them tests. The short of it is that if you use the
> '- w' notation for watches, it will remain the same and slower.

Actually, ths is the one that draws the warning to urge people to migrate.

> If you use
> the syscall notation without "-F arch", you will get a warning that it
> cannot be optimized without adding "-Farch".

Actually, you won't in order to preserve intentional behavior.

> If you add "-F arch", you
> will possibly need one for both arches which means doubling the rules. If
> you do not want to double the rules, you might place a syscall rule for
> any 32 system call (21-no32bit.rules). Or you can leave it as is and not
> care. The sample rules and all man pages have been updated.

I should have provided an example of what this means. If you have this kind
of rule:

-w /etc/shadow -p wa -k shadow

And when applied draws a warning:

# auditctl -w /etc/shadow -p wa -k shadow
Old style watch rules are slower

It should be rewritten as

-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F key=shadow

Then it looks like this when loaded:

#auditctl -l
-a always,exit -F arch=b64 -S open,bind,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,chmod,fchmod,chown,fchown,lchown,mknod,acct,swapon,quotactl,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,fallocate,renameat2,openat2 -F path=/etc/shadow -F perm=wa -F key=shadow

And to delete  the rule, 
auditctl -d always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F key=shadow

or the long way

auditctl -d always,exit -F arch=b64 -S open,bind,truncate,ftruncate,rename,mkdir,rmdir,creat,link,unlink,symlink,chmod,fchmod,chown,fchown,lchown,mknod,acct,swapon,quotactl,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,openat,mkdirat,mknodat,fchownat,unlinkat,renameat,linkat,symlinkat,fchmodat,fallocate,renameat2,openat2 -F path=/etc/shadow -F perm=wa -F key=shadow

Hopefully this is clearer what the change is.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit