[RFC] Do away with entry filter

Steve Grubb sgrubb at redhat.com
Fri Feb 27 14:54:11 UTC 2009 

Hello,

I will be forking the user space audit code soon to start the next major 
series. I have a couple thoughts I'd like to share with people to see what 
they think.

The first item is doing away with the entry filter for syscall auditing. You 
normally run across this filter when you write rules such as:

-a always,entry -S open

The reason I think we can do away with it is that its purpose has changed. Way 
back in the early days 2.6.6 -> 2.6.15 kernels, there was this notion that 
the audit code could be made to have little impact on the performance of the 
system if we give hints about what is needed by using "possible" actions.

The problem with "possible" was that people forgot to use it and had exit 
filter rules that had no data to operate on. So, we changed the kernel to 
always collect the data it needed in case an exit filter would trigger an 
event. This was optimized and performance was pretty good. So, that kind of 
left the entry filter without a purpose. 

Any entry rule can be written as an exit rule. But not every exit rule can be 
written as an entry rule. So the logical choice is to consolidate on the exit 
filter. The reason to do this is to improve performance. If we have an entry 
rule that triggers, it marks the syscall excursion as auditable. When we get 
to the exit filter, it iterates over the whole set of rules even though the 
event is auditable. This is because there could be a never rule that would 
suppress the output. Another problem introduced by having two filters is that 
some fields are not available in the entry filter (exit for example), it adds 
complexity in the auditctl program and the in-kernel rule parser to look for 
these errors.

The way that we could make the change is for the audit package to silently 
convert entry rules to exit in user space. It could output a warning that 
entry rules are being converted and the admin should make the necessary 
adjustments. Then after some time has elapsed so that distros have all 
updated, drop support in the kernel for the entry filter.

Let's discuss...

Thanks,
-Steve

More information about the Linux-audit mailing list