Bug 1876483
Summary: | OpenSCAP SSG remediation slows performance with individual rules in auditd | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Anthony Hogbin <ahogbin> |
Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
Severity: | medium | Docs Contact: | Jan Fiala <jafiala> |
Priority: | medium | ||
Version: | 8.2 | CC: | ggasparb, jafiala, matyc, mhaicman, tscherf, wsato |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | scap-security-guide-0.1.57-2.el8 | Doc Type: | Enhancement |
Doc Text: |
.Performance of remediations for Audit improved by grouping similar system calls
Previously, Audit remediations generated an individual rule for each system call audited by the profile. This led to large numbers of audit rules, which degraded performance. With this enhancement, remediations for Audit can group rules for similar system calls with identical fields together into a single rule, which improves performance.
Examples of system calls grouped together:
----
-a always, exit -F arch=b32 -S chown, fchown, fchownat, lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
----
----
-a always, exit -F arch=b32 -S unlink, unlinkat, rename, renameat, rmdir -F auid>=1000 -F auid!=unset -F key=delete
----
----
-a always, exit -F arch=b32 -S chown, fchown, fchownat, lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
----
----
-a always, exit -F arch=b32 -S unlink, unlinkat, rename, renameat -F auid>=1000 -F auid!=unset -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
----
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-09 18:43:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anthony Hogbin
2020-09-07 10:11:45 UTC
@Vojtech Polasek - I am waiting on an update from the customer - but they have been asked / nudged again - I will be chasing up again in the TAM call this week. This patch (https://github.com/ComplianceAsCode/content/pull/7329) improves the Ansible and Bash remediations to group similar syscalls together. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4265 |