From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Implementing audit rules (/etc/audit/audit.rules) effectively
Date: Wed, 05 Nov 2014 13:51:59 -0500
Message-ID: <3631170.9jbyyIp8pf@x2>
References: <1142172061.2138213.1415212751528.JavaMail.zimbra@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1142172061.2138213.1415212751528.JavaMail.zimbra@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Jan Lieskovsky <jlieskov@redhat.com>
List-Id: linux-audit@redhat.com

On Wednesday, November 05, 2014 01:39:11 PM Jan Lieskovsky wrote:
> Hello folks,
> 
>   within the effort to provide an implementation for some task
> implying from my daily job recently I started to face the following
> question related with auditd - how to write audit rules in most
> effective way. I am mainly interested if there's some comparison / research
> wrt to if there's is some performance penalty when (syscall, but
> in general case doesn't need to be limited to syscall calls) audit
> rules are created in the way having just one syscall rule (one -S argument
> is provided per audit rule) versus the case when there are more
> (compatible) -S arguments provided simultaneously in the particular
> audit.rules row?

Yes there has. The answer is combine as many syscalls as possible into each 
rule. To see why, look at this code:

http://lxr.free-electrons.com/source/kernel/auditsc.c#L747

Basically you have a for loop over each rule and on line 765 it checks by 
"anding" the syscalls in the rule. If no match iterate again. So, by 
increasing the rules, you increase the iterating for each and every syscall 
made whether its of interest or not.


> To provide an example, let's suppose the *chown category of rules:
> * the "all-in-one" case:
> 
>   -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=500 -F auid!=4294967295 -k perm_mod
> 
> vs
> 
> * the "one-rule-per-one-row" case:

The first is the recommended format and that is also the way that all sample 
rules, such as the stig.rules, is written.
 
>   -a always,exit -F arch=b32 -S chown    -F auid>=500 -F auid!=4294967295 -k
> perm_mod -a always,exit -F arch=b32 -S fchown   -F auid>=500 -F
> auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S fchownat -F
> auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S
> lchown   -F auid>=500 -F auid!=4294967295 -k perm_mod
> 
> Does the fact how the -S arguments are layered across the
> /etc/audit/audit.rules file (IOW if being provided within one row or spread
> within multiple rows) have some (negative) impact on the audit system's
> efficiency? [*] If so, is there some way how to measure the performance
> penalty in the second case?

Yes. We have done it in the past to come up with the current recommendation.

-Steve