From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 789F4C282C8 for ; Mon, 28 Jan 2019 20:09:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 38992214DA for ; Mon, 28 Jan 2019 20:09:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="BlEScL/V" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727555AbfA1UJL (ORCPT ); Mon, 28 Jan 2019 15:09:11 -0500 Received: from mail-lf1-f67.google.com ([209.85.167.67]:45983 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726661AbfA1UJL (ORCPT ); Mon, 28 Jan 2019 15:09:11 -0500 Received: by mail-lf1-f67.google.com with SMTP id b20so12836248lfa.12 for ; Mon, 28 Jan 2019 12:09:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wj09Bp4QXmjm5sIMaQFHXlso01pD8LPND+Bf5X0tqcw=; b=BlEScL/VBFp8J4ffQd5Ql6/cOsGxr4VOeUDWeAELmblFAZiTIKH8CTidebr25oR/6h sY496mhYA76OXqGCoQ+buDHbop496dvyJtzRo5/apDjzfLAZRDgDSIgwBKMZgSuO+JG5 gDP5BnGzGWHTIm4ZPXjX+Fz/c5R/k9PK/05tK1XbAE6eHrlPQhCzFbB6X0tuCyhzrCCL ATFuYVmAjvSZ/zUiVOIqy2jlmhtU+6tTERQq1qkcaDGX/ox5brumUfMl/SOFmqT4O+PP NSwhC2+CpEbebugz9YQzb/VpHFJeHL1/hDMBokx0d9FafHJqKa0qSUoXunO2dzm4kZoT oDOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wj09Bp4QXmjm5sIMaQFHXlso01pD8LPND+Bf5X0tqcw=; b=Hn/xQK72IXRRGZkN7aBTnyVIftTvyw/jtPcr4AxF2ZGjMw8nR80ah2vv5NwB+ODOaS eyGbPvKMXd0yQU9TAHrGyGohiFp+Kg2tUyYU2RcoPCxIWF5fqXzCFIVhUOfdB1NkeXCy fT+HfvWVfCe8oDdMN+YqNFdHfDCbQOptsiMxNvVhLGXIdTW29YFdodALEUjNUXD5WyJE jxaqxEzy+/0rrzOr86Tbynzp1F3wAo1QBe43SMZH6upMBdwTM7+xVKCkvP1mv3zQoS/K de+4TzoQ4GONDkyMvKdNuvnq2u+Ch6W9xk3lWTJRLDEUEtgzNaBhrsPbe2NM9PUV4TyK +tYg== X-Gm-Message-State: AJcUukcj0DM0wl6MKrE8VugWAxTepA2AWyTFuNjofJzfAQ5EYr06CJ6X PZh2rAORNmDiuQ4BmhkmsUKF5Q1VnGaQU99PZsXl X-Google-Smtp-Source: ALg8bN7oRVgVmq70bdmYMmGKKLJUgrYUg+9dICYA3I0kZC8KuHrONpU4sEBmw5Qvr8Y+aiBo41IepixrbBheiADvWR0= X-Received: by 2002:a19:cbcc:: with SMTP id b195mr17546271lfg.117.1548706148087; Mon, 28 Jan 2019 12:09:08 -0800 (PST) MIME-Version: 1.0 References: <20151208164237.15736.42955.stgit@localhost> <5490ae28-251b-bfda-38a6-5be201a4a8d8@nokia.com> <4fb6def1-a1d9-8af0-394c-f92224884d18@nokia.com> <8bf5d613-9b27-381d-283b-c8892483f424@nokia.com> <20190128210328.64b7719c@ivy-bridge> In-Reply-To: <20190128210328.64b7719c@ivy-bridge> From: Paul Moore Date: Mon, 28 Jan 2019 15:08:56 -0500 Message-ID: Subject: Re: [PATCH] audit: always enable syscall auditing when supported and audit is enabled To: Steve Grubb Cc: "Sverdlin, Alexander (Nokia - DE/Ulm)" , Daniel Borkmann , Greg Kroah-Hartman , "linux-kernel@vger.kernel.org" , Alexei Starovoitov , "linux-audit@redhat.com" , Richard Guy Briggs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 28, 2019 at 3:03 PM Steve Grubb wrote: > On Mon, 28 Jan 2019 11:26:51 -0500 > Paul Moore wrote: > > > On Mon, Jan 28, 2019 at 10:38 AM Sverdlin, Alexander (Nokia - DE/Ulm) > > wrote: > > > Hello Paul, > > > > > > On 28/01/2019 15:52, Paul Moore wrote: > > > >>>>> time also enables syscall auditing; this patch simplifies the > > > >>>>> Kconfig menus by removing the option to disable syscall > > > >>>>> auditing when audit is selected and the target arch supports > > > >>>>> it. > > > >>>>> > > > >>>>> Signed-off-by: Paul Moore > > > >>>> this patch is responsible for massive performance degradation > > > >>>> for those who used only CONFIG_SECURITY_APPARMOR. > > > >>>> > > > >>>> And the numbers are, take the following test for instance: > > > >>>> > > > >>>> dd if=/dev/zero of=/dev/null count=2M > > > >>>> > > > >>>> ARM64: 500MB/s -> 350MB/s > > > >>>> ARM: 400MB/s -> 300MB/s > > > >>> Hi there. > > > >>> > > > >>> Out of curiosity, what kernel/distribution are you running, or > > > >>> is this a custom kernel compile? Can you also share the output > > > >>> of 'auditctl > > > >> This test was carried out with Linux 4.9. Custom built. > > > > I suspected that was the case, thanks. > > > > > > > >>> -l' from your system? The general approach taken by everyone to > > > >>> turn-off the per-syscall audit overhead is to add the "-a > > > >>> never,task" rule to their audit configuration: > > > >>> > > > >>> # auditctl -a never,task > > > >>> > > > >>> If you are using Fedora/CentOS/RHEL, or a similarly configured > > > >>> system, > > > >> This is an embedded distribution. We are not using auditctl or > > > >> any other audit-related user-space packages. > > > >> > > > >>> you can find this configuration in the /etc/audit/audit.rules > > > >>> file (be warned, that file is automatically generated based on > > > >>> /etc/audit/rules.d). > > > >> I suppose in this case rule list must be empty. Is there a way > > > >> to check this without extra user-space packages? > > > > Yes, unless you are loading rules through some other method I > > > > would expect that your audit rule list is empty. > > > > > > > > I'm not aware of any other tools besides auditctl to load audit > > > > rules into the kernel, although I haven't ever had a need for > > > > another tool so I haven't looked very hard. If you didn't want > > > > to bring auditctl into your distribution, I expect it would be a > > > > rather trivial task to create a small tool to load a single "-a > > > > never,task" into the kernel. > > > > > > I've done a quick test on my x86_64 PC and got the following > > > results: > > > > ... > > > > > Which brings me to an idea, that the subject patch should have been > > > accompanied by a default "never,task" rule inside the kernel, > > > otherwise you require an extra user-space package (audit) just to > > > bring Linux 4.5+ to 4.4 performance levels. > > > > [NOTE: I dropped pmoore@redhat.com from the To/CC line, I left Red Hat > > for greener pastures several months ago.] > > > > Well, it generally hasn't been an issue as 1) most people that enable > > audit also enable syscall auditing and 2) most people that enable > > audit have some sort of audit userspace tools to work with the audit > > logs (and configure audit if necessary). I don't want to diminish > > your report, but this change was made several years ago and we really > > haven't heard of many issues surrounding the change. If we can ever > > get all of the different arches to support syscall auditing, I'd love > > to get rid of the syscall auditing Kconfig knob entirely. > > > > If you wanted to put together a patch that added a single "-a > > never,task" rule on boot I could get behind that, just make it default > > to off. > > That will make processes unauditable for everyone. That's how it gets a > speedup is not entering into the audit machinery. That is pretty much what is being asked for in this thread. It's really no different from what Fedora/CentOS/RHEL (and who knows how many others) ship with their default audit config. It's important to note that you could always delete this rule at runtime; all that is being proposed is to have the kernel populate the the audit ruleset with the "-a never,task" rule *IF* the proposed kernel Kconfig option is enabled (and it would default to being off, you would have to turn it on during build). > I suppose its possible that people may want MAC hardwired events but no syscall > events. I don't know if there are other kconfig audit options. but > maybe getting it down to audit enabled and syscall auditing as the only > choices is probably the most performant. > > -Steve -- paul moore www.paul-moore.com