From: Paul Moore <paul@paul-moore.com>
To: "Sverdlin, Alexander (Nokia - DE/Ulm)" <alexander.sverdlin@nokia.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>,
Richard Guy Briggs <rbriggs@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] audit: always enable syscall auditing when supported and audit is enabled
Date: Mon, 28 Jan 2019 11:26:51 -0500 [thread overview]
Message-ID: <CAHC9VhR25UdWPSRurefEX3YjM80DEh5BXETvK4na3Ym+k2=9xQ@mail.gmail.com> (raw)
In-Reply-To: <8bf5d613-9b27-381d-283b-c8892483f424@nokia.com>
On Mon, Jan 28, 2019 at 10:38 AM Sverdlin, Alexander (Nokia - DE/Ulm)
<alexander.sverdlin@nokia.com> wrote:
> Hello Paul,
>
> On 28/01/2019 15:52, Paul Moore wrote:
> >>>>> time also enables syscall auditing; this patch simplifies the Kconfig
> >>>>> menus by removing the option to disable syscall auditing when audit
> >>>>> is selected and the target arch supports it.
> >>>>>
> >>>>> Signed-off-by: Paul Moore <pmoore@redhat.com>
> >>>> this patch is responsible for massive performance degradation for those
> >>>> who used only CONFIG_SECURITY_APPARMOR.
> >>>>
> >>>> And the numbers are, take the following test for instance:
> >>>>
> >>>> dd if=/dev/zero of=/dev/null count=2M
> >>>>
> >>>> ARM64: 500MB/s -> 350MB/s
> >>>> ARM: 400MB/s -> 300MB/s
> >>> Hi there.
> >>>
> >>> Out of curiosity, what kernel/distribution are you running, or is this
> >>> a custom kernel compile? Can you also share the output of 'auditctl
> >> This test was carried out with Linux 4.9. Custom built.
> > I suspected that was the case, thanks.
> >
> >>> -l' from your system? The general approach taken by everyone to
> >>> turn-off the per-syscall audit overhead is to add the "-a never,task"
> >>> rule to their audit configuration:
> >>>
> >>> # auditctl -a never,task
> >>>
> >>> If you are using Fedora/CentOS/RHEL, or a similarly configured system,
> >> This is an embedded distribution. We are not using auditctl or any other
> >> audit-related user-space packages.
> >>
> >>> you can find this configuration in the /etc/audit/audit.rules file (be
> >>> warned, that file is automatically generated based on
> >>> /etc/audit/rules.d).
> >> I suppose in this case rule list must be empty. Is there a way to check
> >> this without extra user-space packages?
> > Yes, unless you are loading rules through some other method I would
> > expect that your audit rule list is empty.
> >
> > I'm not aware of any other tools besides auditctl to load audit rules
> > into the kernel, although I haven't ever had a need for another tool
> > so I haven't looked very hard. If you didn't want to bring auditctl
> > into your distribution, I expect it would be a rather trivial task to
> > create a small tool to load a single "-a never,task" into the kernel.
>
> I've done a quick test on my x86_64 PC and got the following results:
...
> Which brings me to an idea, that the subject patch should have been accompanied
> by a default "never,task" rule inside the kernel, otherwise you require an
> extra user-space package (audit) just to bring Linux 4.5+ to 4.4 performance
> levels.
[NOTE: I dropped pmoore@redhat.com from the To/CC line, I left Red Hat
for greener pastures several months ago.]
Well, it generally hasn't been an issue as 1) most people that enable
audit also enable syscall auditing and 2) most people that enable
audit have some sort of audit userspace tools to work with the audit
logs (and configure audit if necessary). I don't want to diminish
your report, but this change was made several years ago and we really
haven't heard of many issues surrounding the change. If we can ever
get all of the different arches to support syscall auditing, I'd love
to get rid of the syscall auditing Kconfig knob entirely.
If you wanted to put together a patch that added a single "-a
never,task" rule on boot I could get behind that, just make it default
to off.
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2019-01-28 16:27 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20151208164237.15736.42955.stgit@localhost>
2019-01-28 8:34 ` [PATCH] audit: always enable syscall auditing when supported and audit is enabled Sverdlin, Alexander (Nokia - DE/Ulm)
2019-01-28 14:19 ` Paul Moore
2019-01-28 14:36 ` Sverdlin, Alexander (Nokia - DE/Ulm)
2019-01-28 14:52 ` Paul Moore
2019-01-28 15:38 ` Sverdlin, Alexander (Nokia - DE/Ulm)
2019-01-28 16:26 ` Paul Moore [this message]
2019-01-28 20:03 ` Steve Grubb
2019-01-28 20:08 ` Paul Moore
2019-01-28 21:19 ` Steve Grubb
2019-01-28 21:49 ` Richard Guy Briggs
2019-01-28 22:01 ` Paul Moore
2019-01-28 14:45 ` Sverdlin, Alexander (Nokia - DE/Ulm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhR25UdWPSRurefEX3YjM80DEh5BXETvK4na3Ym+k2=9xQ@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=alexander.sverdlin@nokia.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rbriggs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).