Merge "Disable chmod auditd rules"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
3b3ba5892c
@ -55,11 +55,11 @@ auditd_rules:
|
||||
clock_settime: yes # V-38527
|
||||
clock_settimeofday: yes # V-38522
|
||||
clock_stime: yes # V-38525
|
||||
DAC_chmod: yes # V-38543
|
||||
DAC_chmod: no # V-38543
|
||||
DAC_chown: yes # V-38545
|
||||
DAC_lchown: yes # V-38558
|
||||
DAC_fchmod: yes # V-38547
|
||||
DAC_fchmodat: yes # V-38550
|
||||
DAC_fchmod: no # V-38547
|
||||
DAC_fchmodat: no # V-38550
|
||||
DAC_fchown: yes # V-38552
|
||||
DAC_fchownat: yes # V-38554
|
||||
DAC_fremovexattr: yes # V-38556
|
||||
|
||||
@ -1,2 +1,13 @@
|
||||
Rules are added for auditd to log discretionary access control permission
|
||||
changes done with chmod.
|
||||
**Exception**
|
||||
|
||||
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
|
||||
syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments
|
||||
and while updating packages with apt. By default, these rules are disabled.
|
||||
|
||||
These audit rules can be enabled by setting any of the following variables:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
auditd_rules['DAC_chmod']: yes
|
||||
auditd_rules['DAC_fchmod']: yes
|
||||
auditd_rules['DAC_fchmodat']: yes
|
||||
|
||||
@ -1,2 +0,0 @@
|
||||
Rules are added for auditd to log discretionary access control permission
|
||||
changes done with fchmod.
|
||||
1
doc/source/developer-notes/V-38547.rst
Symbolic link
1
doc/source/developer-notes/V-38547.rst
Symbolic link
@ -0,0 +1 @@
|
||||
V-38543.rst
|
||||
@ -1,3 +0,0 @@
|
||||
Audit rules are added in a task so that any events associated with the loading
|
||||
or unloading of a kernel module are logged. The new audit rule will be
|
||||
loaded immediately with ``augenrules --load``.
|
||||
1
doc/source/developer-notes/V-38550.rst
Symbolic link
1
doc/source/developer-notes/V-38550.rst
Symbolic link
@ -0,0 +1 @@
|
||||
V-38543.rst
|
||||
Loading…
x
Reference in New Issue
Block a user