Audit overhead and default rules
Andrew Lutomirski
luto at mit.edu
Mon Feb 10 20:10:27 UTC 2014
On Mon, Feb 10, 2014 at 12:06 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, February 10, 2014 11:05:38 AM Andrew Lutomirski wrote:
>> On a default Fedora installation, every system call incurs a fair
>> amount of overhead due to syscall auditing. This happens despite the
>> fact that syscalls aren't actually audited, except as part of AVC
>> denials.
>>
>> The overhead is something like 20-40ns per syscall, and the total time
>> to do a simple syscall with auditing completely disabled is about 70ns
>> on my laptop. So this is actually a large effect.
>
> Then pass -s=nochange on the auditd command prompt. This means that auditd
> will not attempt to enable auditing. When auditing is not enabled, it will not
> build an audit context and syscalls are slightly faster, but you will loose a
> tiny bit of information that selinux would have liked to have.
>
>
>> What would people think about changing the default audit rules to add
>> something like '-t task,never'?
>
> This filter is almost useless. Its never used in real life because it creates
> inauditable processes which is exactly opposite of what people normally want.
It's also the only way to turn off TIF_SYSCALL_AUDIT in current
kernels. I'm not attempting to justify the sanity of that; I'm just
reading the code.
>
>> This would remove the overhead, but it would come at the cost of removing
>> the syscall records from
>> /var/log/audit/audit.log when an AVC denial occurs.
>>
>> This could make debugging selinux errors a bit harder, but it would be
>> easy for users to re-enable full auditing.
>>
>> I've been playing with fixing this in the kernel, but it's a mess.
>
> Its also simple to fix in your config.
There are, indeed, many ways for me to fix this on my machine. I'm
suggesting that Fedora change the default so that no one has
experiences this overhead by default. If the default gets changed, I
don't particularly care *which* change is made, so long as the effect
is that TIF_SYSCALL_AUDIT doesn't get set (so there's no overhead) but
that AVC denials still get logged (which I suspect is the overwhelming
majority of the value added by audit support).
--Andy
More information about the devel
mailing list