1102868 – Change default audit rules to '-a task,never'

Bug 1102868 - Change default audit rules to '-a task,never'

Summary: Change default audit rules to '-a task,never'

Keywords:
Status:	CLOSED DUPLICATE of bug 1117953
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	audit
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Steve Grubb
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-29 17:34 UTC by Andy Lutomirski
Modified:	2014-07-22 20:06 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-22 20:06:16 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Andy Lutomirski 2014-05-29 17:34:59 UTC

On my laptop, syscall(SYS_getpid) takes 241.65 ns if syscall auditing is on (even with no rules) and and 70-ish ns if syscall auditing is off.

On my desktop, getpid takes ~65.5 ns on a default Fedora configuration (I think -- this system has been through a few upgrades), but if I do auditctl -a task,never (which is a hack that Oleg Nesterov rigged up fairly recently), getpid goes down to 40.37 ns.

I think that, for users who don't have any manually configured audit rules, running every system call through the system call slow path is a poor tradeoff.  Please consider changing the default rules (in /etc/audit/audit.rules or wherever the best place is) to '-a task,never'.  Users who configure syscall auditing for real can easily remove that rule and replace it with whatever they want.

Comment 1 Andy Lutomirski 2014-05-29 17:38:41 UTC

See bug 1102403 for some previous discussion.

Comment 2 Andy Lutomirski 2014-05-29 19:03:47 UTC

Moved to here: https://fedorahosted.org/fesco/ticket/1311

Comment 3 Steve Grubb 2014-05-29 20:07:00 UTC

But that doesn't really work in general. Meaning that you have to pass it a pid. The easiest and best solution is to just not enable auditing if you don't need it.

Comment 4 Andy Lutomirski 2014-05-29 22:07:47 UTC

Why do I need to pass it a pid?

Is there another clean way to disable auditing by default without breaking setroubleshootd?

Comment 5 Steve Grubb 2014-07-22 20:06:16 UTC


*** This bug has been marked as a duplicate of bug 1117953 ***

Note You need to log in before you can comment on or make changes to this bug.