lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5E08422A-BFE2-4515-A804-3DB42B7D8550@fb.com>
Date:   Tue, 5 Nov 2019 00:39:21 +0000
From:   Chris Mason <clm@...com>
To:     Paul Moore <paul@...l-moore.com>
CC:     Eric Paris <eparis@...hat.com>,
        Dave Jones <davej@...emonkey.org.uk>,
        "linux-audit@...hat.com" <linux-audit@...hat.com>,
        Kyle McMartin <jkkm@...com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] audit: set context->dummy even when audit is off

On 4 Nov 2019, at 19:15, Paul Moore wrote:

> On Fri, Nov 1, 2019 at 9:24 AM Chris Mason <clm@...com> wrote:
>> On 31 Oct 2019, at 19:27, Paul Moore wrote:
>>> It's been a while, but I thought we suggested Dave try running
>>> 'auditctl -a never,task' to see if that would solve his problem and 
>>> I
>>> believe his answer was no, which confused me a bit as the
>>> audit_filter_task() call in audit_alloc() should see that rule and
>>> return a state of AUDIT_DISABLED which not only prevents 
>>> audit_alloc()
>>> from allocating an audit_context (and remember if the audit_context 
>>> is
>>> NULL then audit_dummy_context() returns true), but it also clears 
>>> the
>>> TIF_SYSCALL_AUDIT flag (which I'm guessing you also want).
>>
>> Thanks for the reminder on this part, I meant to test it.  Yes, 
>> auditctl
>> -a never,task does stop the messages, even without my patch applied.
>
> I'm glad to hear that worked, I was going to be *very* confused if you
> came back and said you were still seeing NTP records.
>
> I would suggest that regardless of what happens with audit_enabled you
> likely want to keep this audit rule as part of your boot
> configuration, not only does it squelch the audit records, but it
> should improve performance as well (at the cost of no syscall
> auditing).  A number of Linux distros have this as their default at
> boot.
>

Definitely, we'll be testing auditctl -a never,task internally.  Before 
we went down that path I wanted to fully understand what was going on, 
but I think all the big questions have been answered at this point.

I'm happy to try variations on my patch, but if you want to include it, 
please do remember that I've really only tested it with auditing off.

-chris

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ