From 0a68a695e5cd1fc4412ec56a3547bfadd237b62e Mon Sep 17 00:00:00 2001 From: Teddy Reed Date: Thu, 31 Oct 2019 12:05:00 -0400 Subject: [PATCH] audit: Allow configuring audit_backlog_wait_time (#5953) Read the analysis within #5952. There are multiple sources suggesting an optimal value is 0. Our implementation previously hardcoded the value to 1. It is now 0 and can be configured to a different value using the audit_backlog_wait_time option or command line flag. --- osquery/events/linux/auditdnetlink.cpp | 53 +++++++++++--------------- 1 file changed, 22 insertions(+), 31 deletions(-) diff --git a/osquery/events/linux/auditdnetlink.cpp b/osquery/events/linux/auditdnetlink.cpp index 6ddf955f..d9eb9518 100644 --- a/osquery/events/linux/auditdnetlink.cpp +++ b/osquery/events/linux/auditdnetlink.cpp @@ -53,6 +53,12 @@ FLAG(bool, false, "Configure the audit subsystem from scratch"); +/// This value is passed directly to the audit API. +FLAG(int32, audit_backlog_wait_time, 0, "The audit backlog wait time"); + +/// This value is passed directly to the audit API. +FLAG(int32, audit_backlog_limit, 4096, "The audit backlog limit"); + // External flags; they are used to determine which rules need to be installed DECLARE_bool(audit_allow_fim_events); DECLARE_bool(audit_allow_process_events); @@ -61,14 +67,16 @@ DECLARE_bool(audit_allow_sockets); DECLARE_bool(audit_allow_user_events); DECLARE_bool(audit_allow_selinux_events); -// user messages should be filtered -// also, we should handle the 2nd user message type namespace { bool IsSELinuxRecord(const audit_reply& reply) noexcept { static const auto& selinux_event_set = kSELinuxEventList; return (selinux_event_set.find(reply.type) != selinux_event_set.end()); } +/** + * User messages should be filtered. Also, we should handle the 2nd user + * message type. + */ bool ShouldHandle(const audit_reply& reply) noexcept { if (IsSELinuxRecord(reply)) { return FLAGS_audit_allow_selinux_events; @@ -146,7 +154,7 @@ void AuditdNetlinkReader::start() { while (!interrupted()) { if (auditd_context_->acquire_handle) { if (FLAGS_audit_debug) { - std::cout << "(re)acquiring the audit handle.." << std::endl; + VLOG(1) << "(Re)acquiring the audit handle"; } NetlinkStatus netlink_status = acquireHandle(); @@ -196,7 +204,10 @@ void AuditdNetlinkReader::stop() { VLOG(1) << "Releasing the audit handle..."; auditd_context_->unprocessed_records_cv.notify_all(); - restoreAuditServiceConfiguration(); + + if (FLAGS_audit_allow_config) { + restoreAuditServiceConfiguration(); + } audit_close(audit_netlink_handle_); audit_netlink_handle_ = -1; @@ -304,8 +315,9 @@ bool AuditdNetlinkReader::configureAuditService() noexcept { // Want to set a min sane buffer and maximum number of events/second min. // This is normally controlled through the audit config, but we must // enforce sane minimums: -b 8192 -e 100 - audit_set_backlog_wait_time(audit_netlink_handle_, 1); - audit_set_backlog_limit(audit_netlink_handle_, 4096); + audit_set_backlog_wait_time(audit_netlink_handle_, + FLAGS_audit_backlog_wait_time); + audit_set_backlog_limit(audit_netlink_handle_, FLAGS_audit_backlog_limit); audit_set_failure(audit_netlink_handle_, AUDIT_FAIL_SILENT); // Request only the highest priority of audit status messages. @@ -371,8 +383,7 @@ bool AuditdNetlinkReader::configureAuditService() noexcept { // we have been asked to if (rule_add_error >= 0) { if (FLAGS_audit_debug) { - std::cout << "Audit rule installed for syscall " << syscall_number - << std::endl; + VLOG(1) << "Audit rule installed for syscall " << syscall_number; } installed_rule_list_.push_back(rule); @@ -380,8 +391,8 @@ bool AuditdNetlinkReader::configureAuditService() noexcept { } if (FLAGS_audit_debug) { - std::cout << "Audit rule for syscall " << syscall_number - << " could not be installed. Errno: " << (-errno) << std::endl; + VLOG(1) << "Audit rule for syscall " << syscall_number + << " could not be installed: " << (-errno); } if (FLAGS_audit_force_unconfigure) { @@ -548,10 +559,6 @@ bool AuditdNetlinkReader::deleteAuditRule( } void AuditdNetlinkReader::restoreAuditServiceConfiguration() noexcept { - if (FLAGS_audit_debug) { - std::cout << "Uninstalling audit rules" << std::endl; - } - // Remove the rules we have added VLOG(1) << "Uninstalling the audit rules we have installed"; @@ -562,14 +569,7 @@ void AuditdNetlinkReader::restoreAuditServiceConfiguration() noexcept { installed_rule_list_.clear(); - // Restore audit configuration defaults. - if (FLAGS_audit_debug) { - std::cout << "Restoring default settings and disabling the service" - << std::endl; - } - VLOG(1) << "Restoring the default configuration for the audit service"; - audit_set_backlog_limit(audit_netlink_handle_, 0); audit_set_backlog_wait_time(audit_netlink_handle_, 60000); audit_set_failure(audit_netlink_handle_, AUDIT_FAIL_PRINTK); @@ -640,10 +640,6 @@ NetlinkStatus AuditdNetlinkReader::acquireHandle() noexcept { return NetlinkStatus::Error; } - - if (FLAGS_audit_debug) { - std::cout << "Audit service enabled" << std::endl; - } } if (FLAGS_audit_allow_config) { @@ -657,10 +653,6 @@ NetlinkStatus AuditdNetlinkReader::acquireHandle() noexcept { if (!configureAuditService()) { return NetlinkStatus::ActiveImmutable; } - - if (FLAGS_audit_debug) { - std::cout << "Audit service configured" << std::endl; - } } return NetlinkStatus::ActiveMutable; @@ -758,8 +750,7 @@ bool AuditdNetlinkParser::ParseAuditReply( event_record = {}; if (FLAGS_audit_debug) { - std::cout << reply.type << ", " << std::string(reply.message, reply.len) - << std::endl; + VLOG(1) << reply.type << ", " << std::string(reply.message, reply.len); } // Parse the record header