From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [RFC] Do away with entry filter
Date: Tue, 28 Jul 2009 14:26:13 -0400 [thread overview]
Message-ID: <200907281426.14073.sgrubb@redhat.com> (raw)
In-Reply-To: <200902270954.12237.sgrubb@redhat.com>
Hello,
Just as a reminder to everyone, this proposal has been put in svn trunk as
commit #300. I hope to have audit 2.0 out later this week.
-Steve
On Friday 27 February 2009 09:54:11 am Steve Grubb wrote:
> I will be forking the user space audit code soon to start the next major
> series. I have a couple thoughts I'd like to share with people to see what
> they think.
>
> The first item is doing away with the entry filter for syscall auditing.
> You normally run across this filter when you write rules such as:
>
> -a always,entry -S open
>
> The reason I think we can do away with it is that its purpose has changed.
> Way back in the early days 2.6.6 -> 2.6.15 kernels, there was this notion
> that the audit code could be made to have little impact on the performance
> of the system if we give hints about what is needed by using "possible"
> actions.
>
> The problem with "possible" was that people forgot to use it and had exit
> filter rules that had no data to operate on. So, we changed the kernel to
> always collect the data it needed in case an exit filter would trigger an
> event. This was optimized and performance was pretty good. So, that kind of
> left the entry filter without a purpose.
>
> Any entry rule can be written as an exit rule. But not every exit rule can
> be written as an entry rule. So the logical choice is to consolidate on the
> exit filter. The reason to do this is to improve performance. If we have an
> entry rule that triggers, it marks the syscall excursion as auditable. When
> we get to the exit filter, it iterates over the whole set of rules even
> though the event is auditable. This is because there could be a never rule
> that would suppress the output. Another problem introduced by having two
> filters is that some fields are not available in the entry filter (exit for
> example), it adds complexity in the auditctl program and the in-kernel rule
> parser to look for these errors.
>
> The way that we could make the change is for the audit package to silently
> convert entry rules to exit in user space. It could output a warning that
> entry rules are being converted and the admin should make the necessary
> adjustments. Then after some time has elapsed so that distros have all
> updated, drop support in the kernel for the entry filter.
>
> Let's discuss...
>
> Thanks,
> -Steve
prev parent reply other threads:[~2009-07-28 18:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-27 14:54 [RFC] Do away with entry filter Steve Grubb
2009-02-27 16:56 ` Linda Knippers
2009-02-27 17:40 ` Steve Grubb
2009-02-27 17:48 ` Linda Knippers
2009-02-27 18:19 ` Steve Grubb
2009-02-27 19:27 ` Linda Knippers
2009-02-27 20:14 ` Eric Paris
2009-02-27 21:18 ` Steve Grubb
2009-07-28 18:26 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200907281426.14073.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox