From 83cf2701eb5274a008e81afd6bddc4ec4dc5f9d8 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 20 Jan 2016 12:54:57 -0600 Subject: [PATCH] Disable chmod auditd rules These rules can cause high load during periods of large changes on a system. Closes-bug: 1536325 Change-Id: Ic088586c3059fd0dbef06a38f2478c14e7f88702 --- defaults/main.yml | 6 +++--- doc/source/developer-notes/V-38543.rst | 15 +++++++++++++-- doc/source/developer-notes/V-38547.rst | 3 +-- doc/source/developer-notes/V-38550.rst | 4 +--- 4 files changed, 18 insertions(+), 10 deletions(-) mode change 100644 => 120000 doc/source/developer-notes/V-38547.rst mode change 100644 => 120000 doc/source/developer-notes/V-38550.rst diff --git a/defaults/main.yml b/defaults/main.yml index b529b732..73c67782 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -55,11 +55,11 @@ auditd_rules: clock_settime: yes # V-38527 clock_settimeofday: yes # V-38522 clock_stime: yes # V-38525 - DAC_chmod: yes # V-38543 + DAC_chmod: no # V-38543 DAC_chown: yes # V-38545 DAC_lchown: yes # V-38558 - DAC_fchmod: yes # V-38547 - DAC_fchmodat: yes # V-38550 + DAC_fchmod: no # V-38547 + DAC_fchmodat: no # V-38550 DAC_fchown: yes # V-38552 DAC_fchownat: yes # V-38554 DAC_fremovexattr: yes # V-38556 diff --git a/doc/source/developer-notes/V-38543.rst b/doc/source/developer-notes/V-38543.rst index 75996c91..b87898f5 100644 --- a/doc/source/developer-notes/V-38543.rst +++ b/doc/source/developer-notes/V-38543.rst @@ -1,2 +1,13 @@ -Rules are added for auditd to log discretionary access control permission -changes done with chmod. +**Exception** + +The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` +syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments +and while updating packages with apt. By default, these rules are disabled. + +These audit rules can be enabled by setting any of the following variables: + +.. code-block:: yaml + + auditd_rules['DAC_chmod']: yes + auditd_rules['DAC_fchmod']: yes + auditd_rules['DAC_fchmodat']: yes diff --git a/doc/source/developer-notes/V-38547.rst b/doc/source/developer-notes/V-38547.rst deleted file mode 100644 index 4a4f9c0e..00000000 --- a/doc/source/developer-notes/V-38547.rst +++ /dev/null @@ -1,2 +0,0 @@ -Rules are added for auditd to log discretionary access control permission -changes done with fchmod. diff --git a/doc/source/developer-notes/V-38547.rst b/doc/source/developer-notes/V-38547.rst new file mode 120000 index 00000000..8f760f7e --- /dev/null +++ b/doc/source/developer-notes/V-38547.rst @@ -0,0 +1 @@ +V-38543.rst \ No newline at end of file diff --git a/doc/source/developer-notes/V-38550.rst b/doc/source/developer-notes/V-38550.rst deleted file mode 100644 index f876925c..00000000 --- a/doc/source/developer-notes/V-38550.rst +++ /dev/null @@ -1,3 +0,0 @@ -Audit rules are added in a task so that any events associated with the loading -or unloading of a kernel module are logged. The new audit rule will be -loaded immediately with ``augenrules --load``. diff --git a/doc/source/developer-notes/V-38550.rst b/doc/source/developer-notes/V-38550.rst new file mode 120000 index 00000000..8f760f7e --- /dev/null +++ b/doc/source/developer-notes/V-38550.rst @@ -0,0 +1 @@ +V-38543.rst \ No newline at end of file