* What does each audit record field mean?
@ 2008-01-27 8:25 Marius.bao
2008-01-27 13:15 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Marius.bao @ 2008-01-27 8:25 UTC (permalink / raw)
To: linux-audit
Hi,
I'm a newbie, I'm sorry for my question if anyone has already asked.
I use auditctl -a exit,always -S open -F success=0 to audit all
successful open syscalls
But in the audit.log file I found the following audit records:
type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003
syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40
items=1 ppid=9571 pid=96 95 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim"
key=(null)
The "success" fields of the record is no, what does it mean? Does
it represent the syscall is failed?
And what does "exit" field mean? Does it represent the syscall's exit code?
I'm also confused with the meaning of the fields of "a0" "a1" "a2" and "a3".
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: What does each audit record field mean?
2008-01-27 8:25 What does each audit record field mean? Marius.bao
@ 2008-01-27 13:15 ` Steve Grubb
2008-01-29 7:16 ` Marius.bao
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2008-01-27 13:15 UTC (permalink / raw)
To: linux-audit; +Cc: Marius.bao
On Sunday 27 January 2008 03:25:47 Marius.bao wrote:
> type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003
> syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40
> items=1 ppid=9571 pid=96 95 auid=0 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim"
> key=(null)
> The "success" fields of the record is no, what does it mean? Does it
> represent the syscall is failed?
Yes
> And what does "exit" field mean? Does it represent the syscall's exit
> code?
Yes.
> I'm also confused with the meaning of the fields of "a0" "a1" "a2"
> and "a3".
Arg 0, Arg 1, Arg 2, and Arg 3. All are integers. IOW, pointers are not
dereferenced, you would just have the address.
I have something that tells you about the meaning of various fields here:
http://people.redhat.com/sgrubb/audit/audit-parse.txt
Look in the field names section.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: What does each audit record field mean?
2008-01-27 13:15 ` Steve Grubb
@ 2008-01-29 7:16 ` Marius.bao
2008-01-29 18:02 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Marius.bao @ 2008-01-29 7:16 UTC (permalink / raw)
To: linux-audit
Thanks a lot :-)
I still have several questions:
1. My audit rule is auditctl -a exit,always -S open -F success=0,
why in the audit record, the success field is no. And if I use the
opposite rule auditctl -a exit,always -S open -F success!=0, the
records' "success" field is yes?
2. In some audit records, the "success" is yes, but with a non-zero
exit code. When does this situation occur(A syscall successes with a
non-zero exit code)?
3.Have anyone ever tested the system performance impact when the
kernel audit functionality is turned on?
I've tested with the following audit rules
auditctl -a exit,always -S read -F success=0
auditctl -a exit,always -S readv -F success=0
auditctl -a exit,always -S write -F success=0
auditctl -a exit,always -S writev -F success=0
auditctl -a exit,always -S fork -F success=0
auditctl -a exit,always -S clone -F success=0
auditctl -a exit,always -S truncate -F success=0
auditctl -a exit,always -S ftruncate -F success=0
auditctl -a exit,always -S link -F success=0
auditctl -a exit,always -S unlink -F success=0
auditctl -a exit,always -S symlink -F success=0
auditctl -a exit,always -S chown -F success=0
auditctl -a exit,always -S chmod -F success=0
auditctl -a exit,always -S fchown -F success=0
auditctl -a exit,always -S fchmod -F success=0
auditctl -a exit,always -S kill -F success=0
auditctl -a exit,always -S mmap -F success=0
auditctl -a exit,always -S signal -F success=0
I've tested the source code compile benchmark with the
kscope1.6.0(a source reading toll). My platform is Fedora 8, 2.6.23
kernel version, and Intel Pentium(R) processor1.7GHZ, 512M main
memory.
Without any audit, the kscope compile time is as follows
0m32s total time
0m14s user space time
0m3s sys space time
With the above audit rule set, the kscope source compile time is as follows
1m4s total time
0m14s user space time
0m15s sys space time
It turned out that with some of the audit rule set, the kscope
source compile process takes double time. I wonder why it has so heavy
impact on the system's performance.
I also read some papers(<<Automatic high-performance
reconstruction and recovery>>) on other audit systems. The system's
impact is relatively low,about 6%~8% with all syscall information
audited.
> On Sunday 27 January 2008 03:25:47 Marius.bao wrote:
> > type=SYSCALL msg=audit(1201421673.445:1508): arch=40000003
> > syscall=5 success=no exit=-2 a0=bfec1e40 a1=0 a2=b7ee6548 a3=bfec1e40
> > items=1 ppid=9571 pid=96 95 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vim" exe="/usr/bin/vim"
> > key=(null)
> > The "success" fields of the record is no, what does it mean? Does it
> > represent the syscall is failed?
>
> Yes
>
>
> > And what does "exit" field mean? Does it represent the syscall's exit
> > code?
>
> Yes.
>
>
> > I'm also confused with the meaning of the fields of "a0" "a1" "a2"
> > and "a3".
>
> Arg 0, Arg 1, Arg 2, and Arg 3. All are integers. IOW, pointers are not
> dereferenced, you would just have the address.
>
> I have something that tells you about the meaning of various fields here:
>
> http://people.redhat.com/sgrubb/audit/audit-parse.txt
>
> Look in the field names section.
>
> -Steve
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: What does each audit record field mean?
2008-01-29 7:16 ` Marius.bao
@ 2008-01-29 18:02 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2008-01-29 18:02 UTC (permalink / raw)
To: Marius.bao; +Cc: linux-audit
On Tuesday 29 January 2008 02:16:44 Marius.bao wrote:
> 1. My audit rule is auditctl -a exit,always -S open -F success=0,
> why in the audit record, the success field is no. And if I use the
> opposite rule auditctl -a exit,always -S open -F success!=0, the
> records' "success" field is yes?
in the auditctl man page is this: When writing a rule, use a 1 for true/yes
and a 0 for false/no. It looks like its working the way its documented to
work.
> 2. In some audit records, the "success" is yes, but with a non-zero
> exit code. When does this situation occur(A syscall successes with a
> non-zero exit code)?
Many times. You would have to look on a per syscall basis. Each one is
different. For example, open could return a 1 for the descriptor number or
a -1 to indicate an error. In both cases, it is non-zero. If open returned a
0, that is also success since that would be stdin. In general, if the exit
code is < 0, there is an error and >= 0 is success.
> 3.Have anyone ever tested the system performance impact when the
> kernel audit functionality is turned on?
Yes we've done much testing over the years.
> I've tested with the following audit rules
> auditctl -a exit,always -S read -F success=0
> auditctl -a exit,always -S readv -F success=0
> auditctl -a exit,always -S write -F success=0
> auditctl -a exit,always -S writev -F success=0
> auditctl -a exit,always -S fork -F success=0
> auditctl -a exit,always -S clone -F success=0
> auditctl -a exit,always -S truncate -F success=0
> auditctl -a exit,always -S ftruncate -F success=0
> auditctl -a exit,always -S link -F success=0
> auditctl -a exit,always -S unlink -F success=0
> auditctl -a exit,always -S symlink -F success=0
> auditctl -a exit,always -S chown -F success=0
> auditctl -a exit,always -S chmod -F success=0
> auditctl -a exit,always -S fchown -F success=0
> auditctl -a exit,always -S fchmod -F success=0
> auditctl -a exit,always -S kill -F success=0
> auditctl -a exit,always -S mmap -F success=0
> auditctl -a exit,always -S signal -F success=0
This is going to suck performance-wise. If you wanted to audit the above, I'd
re-write the rules as:
auditctl -a exit,always -S read -S readv -S write -S writev -S fork -S
clone -S truncate -S ftruncate -S link -S unlink -S symlink -S chown -S
chmod -S fchown -S fchmod -S kill -S mmap -S signal -F success=0
This means that the kernel will evaluate just one rule that does the same
thing. I can do it this way because all syscalls are on the same filter and
with the same action and they check the success field the same way.
When doing syscall auditing always try to combine rules where you can. Each
syscall rule gets evaluated for every syscall every program makes. It adds
up. Try to use file based auditing whenever you can since its not as big of a
performance hit.
> It turned out that with some of the audit rule set, the kscope
> source compile process takes double time. I wonder why it has so heavy
> impact on the system's performance.
See above.
> I also read some papers(<<Automatic high-performance
> reconstruction and recovery>>) on other audit systems. The system's
> impact is relatively low,about 6%~8% with all syscall information
> audited.
If you can think of a faster way to do what we are doing, please submit kernel
patches. Any performance improvements would be appreciated.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-01-29 18:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-27 8:25 What does each audit record field mean? Marius.bao
2008-01-27 13:15 ` Steve Grubb
2008-01-29 7:16 ` Marius.bao
2008-01-29 18:02 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox