Re: Clarification Around File System Auditing

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Amjad Gabbar <amjadgabbar11@gmail.com>
Subject: Re: Clarification Around File System Auditing
Date: Tue, 14 Feb 2023 09:29:03 -0500	[thread overview]
Message-ID: <4814542.31r3eYUQgx@x2> (raw)
In-Reply-To: <CAJcJf=TSvQxtFxNTkizfk_B1Y2WxE60Ct8HzHkt8RWhKMLnpUQ@mail.gmail.com>

Hello,

On Monday, February 13, 2023 4:24:02 PM EST Amjad Gabbar wrote:
> I wanted some help in better understanding the workflow of file system
> auditing(watch rules) vs Syscall Auditing(syscall rules). I know in general
> file system auditing does not have the same performance impact as syscall
> auditing, even though both make use of syscall exits for their evaluation.
> 
> 
> From the manpage - "Unlike most syscall auditing rules, watches do not
> impact performance based on the number of rules sent to the kernel."
> 
> From a previous thread, I found this excerpt regarding file watch rules vs
> sycall rules -
>
> "The reason it doesn't have performance impact like normal syscall rules is
> because it gets moved to a list that is not evaluated every syscall. A
> normal syscall rule will get evaluated for every syscall because it has to
> see if the syscall number is of interest and then it checks the next
> rule."
> 
> Based on this I had a couple of questions:
> 
> For normal syscall rules, the evaluation happens as __audit_syscall_exit
> <https://elixir.bootlin.com/linux/v6.1.10/C/ident/__audit_syscall_exit>
> calls audit_filter_syscall
> (https://elixir.bootlin.com/linux/v6.1.10/source/kernel/auditsc.c#L841)
> 
> Here, we check if the syscall is of interest or not in the audit_in_mask
> <https://elixir.bootlin.com/linux/v6.1.10/C/ident/audit_in_mask> function.
> Only if the syscall is of interest do we proceed with examining the task
> and return on the first rule match.
> 
> 1. What is the process or code path for watch rules? audit_filter_syscall
> <https://elixir.bootlin.com/linux/v6.1.10/C/ident/audit_filter_syscall> is
> called for watch rules as well. Then how is it that these are not called
> for every syscall? Could you point me to the code where the evaluation
> happens only once?

There is a file, kernel/audit_watch.c, that implements the interface between 
audit and fsnotify. You would want to learn how fsnotify works to understand 
how it avoids the syscall filter.

> 2. Also, do file watches only involve the open system call family (open,
> openat etc). The man page implies the same, so just wanted to confirm.
> 
> I assume -w /etc -p wa is the same as -a always,exit -S open -S openat -F
> dir=/etc?

It depends on the flag passed for perm as to what syscall it wants. See:

include/asm-generic/audit_*.h

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit