Bug 1102868

Summary: Change default audit rules to '-a task,never'
Product: [Fedora] Fedora Reporter: Andy Lutomirski <luto>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-22 20:06:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andy Lutomirski 2014-05-29 17:34:59 UTC 
On my laptop, syscall(SYS_getpid) takes 241.65 ns if syscall auditing is on (even with no rules) and and 70-ish ns if syscall auditing is off.

On my desktop, getpid takes ~65.5 ns on a default Fedora configuration (I think -- this system has been through a few upgrades), but if I do auditctl -a task,never (which is a hack that Oleg Nesterov rigged up fairly recently), getpid goes down to 40.37 ns.

I think that, for users who don't have any manually configured audit rules, running every system call through the system call slow path is a poor tradeoff.  Please consider changing the default rules (in /etc/audit/audit.rules or wherever the best place is) to '-a task,never'.  Users who configure syscall auditing for real can easily remove that rule and replace it with whatever they want.
Comment 1 Andy Lutomirski 2014-05-29 17:38:41 UTC 
See bug 1102403 for some previous discussion.
Comment 2 Andy Lutomirski 2014-05-29 19:03:47 UTC 
Moved to here: https://fedorahosted.org/fesco/ticket/1311
Comment 3 Steve Grubb 2014-05-29 20:07:00 UTC 
But that doesn't really work in general. Meaning that you have to pass it a pid. The easiest and best solution is to just not enable auditing if you don't need it.
Comment 4 Andy Lutomirski 2014-05-29 22:07:47 UTC 
Why do I need to pass it a pid?

Is there another clean way to disable auditing by default without breaking setroubleshootd?
Comment 5 Steve Grubb 2014-07-22 20:06:16 UTC 

*** This bug has been marked as a duplicate of bug 1117953 ***