Re: [RFC] Do away with entry filter

From: Linda Knippers <linda.knippers@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [RFC] Do away with entry filter
Date: Fri, 27 Feb 2009 11:56:57 -0500	[thread overview]
Message-ID: <49A81B59.1050608@hp.com> (raw)
In-Reply-To: <200902270954.12237.sgrubb@redhat.com>

Steve Grubb wrote:
> Hello,
> 
> I will be forking the user space audit code soon to start the next major 
> series. I have a couple thoughts I'd like to share with people to see what 
> they think.
> 
> The first item is doing away with the entry filter for syscall auditing. You 
> normally run across this filter when you write rules such as:
> 
> -a always,entry -S open
> 
> The reason I think we can do away with it is that its purpose has changed. Way 
> back in the early days 2.6.6 -> 2.6.15 kernels, there was this notion that 
> the audit code could be made to have little impact on the performance of the 
> system if we give hints about what is needed by using "possible" actions.
> 
> The problem with "possible" was that people forgot to use it and had exit 
> filter rules that had no data to operate on. So, we changed the kernel to 
> always collect the data it needed in case an exit filter would trigger an 
> event. This was optimized and performance was pretty good. So, that kind of 
> left the entry filter without a purpose. 
> 
> Any entry rule can be written as an exit rule. But not every exit rule can be 
> written as an entry rule. So the logical choice is to consolidate on the exit 
> filter. The reason to do this is to improve performance. If we have an entry 
> rule that triggers, it marks the syscall excursion as auditable. When we get 
> to the exit filter, it iterates over the whole set of rules even though the 
> event is auditable. This is because there could be a never rule that would 
> suppress the output. Another problem introduced by having two filters is that 
> some fields are not available in the entry filter (exit for example), it adds 
> complexity in the auditctl program and the in-kernel rule parser to look for 
> these errors.
> 
> The way that we could make the change is for the audit package to silently 
> convert entry rules to exit in user space. It could output a warning that 
> entry rules are being converted and the admin should make the necessary 
> adjustments. Then after some time has elapsed so that distros have all 
> updated, drop support in the kernel for the entry filter.
> 
> Let's discuss...

Without "entry", does "exit" still make sense?  In other words, are the
choices really just "always" and "never"?  If we're going to change
things, is this an opportunity to simplify in general?

-- ljk

> 
> Thanks,
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit