audit: Allow configuring audit_backlog_wait_time (#5953)

Read the analysis within #5952.

There are multiple sources suggesting an optimal value is 0. Our
implementation previously hardcoded the value to 1. It is now 0 and can
be configured to a different value using the audit_backlog_wait_time
option or command line flag.
This commit is contained in:
Teddy Reed 2019-10-31 12:05:00 -04:00 committed by GitHub
parent b0bf653745
commit 0a68a695e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -53,6 +53,12 @@ FLAG(bool,
false,
"Configure the audit subsystem from scratch");
/// This value is passed directly to the audit API.
FLAG(int32, audit_backlog_wait_time, 0, "The audit backlog wait time");
/// This value is passed directly to the audit API.
FLAG(int32, audit_backlog_limit, 4096, "The audit backlog limit");
// External flags; they are used to determine which rules need to be installed
DECLARE_bool(audit_allow_fim_events);
DECLARE_bool(audit_allow_process_events);
@ -61,14 +67,16 @@ DECLARE_bool(audit_allow_sockets);
DECLARE_bool(audit_allow_user_events);
DECLARE_bool(audit_allow_selinux_events);
// user messages should be filtered
// also, we should handle the 2nd user message type
namespace {
bool IsSELinuxRecord(const audit_reply& reply) noexcept {
static const auto& selinux_event_set = kSELinuxEventList;
return (selinux_event_set.find(reply.type) != selinux_event_set.end());
}
/**
* User messages should be filtered. Also, we should handle the 2nd user
* message type.
*/
bool ShouldHandle(const audit_reply& reply) noexcept {
if (IsSELinuxRecord(reply)) {
return FLAGS_audit_allow_selinux_events;
@ -146,7 +154,7 @@ void AuditdNetlinkReader::start() {
while (!interrupted()) {
if (auditd_context_->acquire_handle) {
if (FLAGS_audit_debug) {
std::cout << "(re)acquiring the audit handle.." << std::endl;
VLOG(1) << "(Re)acquiring the audit handle";
}
NetlinkStatus netlink_status = acquireHandle();
@ -196,7 +204,10 @@ void AuditdNetlinkReader::stop() {
VLOG(1) << "Releasing the audit handle...";
auditd_context_->unprocessed_records_cv.notify_all();
if (FLAGS_audit_allow_config) {
restoreAuditServiceConfiguration();
}
audit_close(audit_netlink_handle_);
audit_netlink_handle_ = -1;
@ -304,8 +315,9 @@ bool AuditdNetlinkReader::configureAuditService() noexcept {
// Want to set a min sane buffer and maximum number of events/second min.
// This is normally controlled through the audit config, but we must
// enforce sane minimums: -b 8192 -e 100
audit_set_backlog_wait_time(audit_netlink_handle_, 1);
audit_set_backlog_limit(audit_netlink_handle_, 4096);
audit_set_backlog_wait_time(audit_netlink_handle_,
FLAGS_audit_backlog_wait_time);
audit_set_backlog_limit(audit_netlink_handle_, FLAGS_audit_backlog_limit);
audit_set_failure(audit_netlink_handle_, AUDIT_FAIL_SILENT);
// Request only the highest priority of audit status messages.
@ -371,8 +383,7 @@ bool AuditdNetlinkReader::configureAuditService() noexcept {
// we have been asked to
if (rule_add_error >= 0) {
if (FLAGS_audit_debug) {
std::cout << "Audit rule installed for syscall " << syscall_number
<< std::endl;
VLOG(1) << "Audit rule installed for syscall " << syscall_number;
}
installed_rule_list_.push_back(rule);
@ -380,8 +391,8 @@ bool AuditdNetlinkReader::configureAuditService() noexcept {
}
if (FLAGS_audit_debug) {
std::cout << "Audit rule for syscall " << syscall_number
<< " could not be installed. Errno: " << (-errno) << std::endl;
VLOG(1) << "Audit rule for syscall " << syscall_number
<< " could not be installed: " << (-errno);
}
if (FLAGS_audit_force_unconfigure) {
@ -548,10 +559,6 @@ bool AuditdNetlinkReader::deleteAuditRule(
}
void AuditdNetlinkReader::restoreAuditServiceConfiguration() noexcept {
if (FLAGS_audit_debug) {
std::cout << "Uninstalling audit rules" << std::endl;
}
// Remove the rules we have added
VLOG(1) << "Uninstalling the audit rules we have installed";
@ -562,14 +569,7 @@ void AuditdNetlinkReader::restoreAuditServiceConfiguration() noexcept {
installed_rule_list_.clear();
// Restore audit configuration defaults.
if (FLAGS_audit_debug) {
std::cout << "Restoring default settings and disabling the service"
<< std::endl;
}
VLOG(1) << "Restoring the default configuration for the audit service";
audit_set_backlog_limit(audit_netlink_handle_, 0);
audit_set_backlog_wait_time(audit_netlink_handle_, 60000);
audit_set_failure(audit_netlink_handle_, AUDIT_FAIL_PRINTK);
@ -640,10 +640,6 @@ NetlinkStatus AuditdNetlinkReader::acquireHandle() noexcept {
return NetlinkStatus::Error;
}
if (FLAGS_audit_debug) {
std::cout << "Audit service enabled" << std::endl;
}
}
if (FLAGS_audit_allow_config) {
@ -657,10 +653,6 @@ NetlinkStatus AuditdNetlinkReader::acquireHandle() noexcept {
if (!configureAuditService()) {
return NetlinkStatus::ActiveImmutable;
}
if (FLAGS_audit_debug) {
std::cout << "Audit service configured" << std::endl;
}
}
return NetlinkStatus::ActiveMutable;
@ -758,8 +750,7 @@ bool AuditdNetlinkParser::ParseAuditReply(
event_record = {};
if (FLAGS_audit_debug) {
std::cout << reply.type << ", " << std::string(reply.message, reply.len)
<< std::endl;
VLOG(1) << reply.type << ", " << std::string(reply.message, reply.len);
}
// Parse the record header