Disable chmod auditd rules

These rules can cause high load during periods of large changes on a system. Closes-bug: 1536325 Change-Id: Ic088586c3059fd0dbef06a38f2478c14e7f88702
2016-01-20 12:54:57 -06:00 · 2016-01-20 12:54:57 -06:00 · 83cf2701eb
commit 83cf2701eb
parent 62e1600993
4 changed files with 18 additions and 10 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -55,11 +55,11 @@ auditd_rules:
  clock_settime: yes                              # V-38527
  clock_settimeofday: yes                         # V-38522
  clock_stime: yes                                # V-38525
-  DAC_chmod: yes                                  # V-38543
+  DAC_chmod: no                                   # V-38543
  DAC_chown: yes                                  # V-38545
  DAC_lchown: yes                                 # V-38558
-  DAC_fchmod: yes                                 # V-38547
-  DAC_fchmodat: yes                               # V-38550
+  DAC_fchmod: no                                  # V-38547
+  DAC_fchmodat: no                                # V-38550
  DAC_fchown: yes                                 # V-38552
  DAC_fchownat: yes                               # V-38554
  DAC_fremovexattr: yes                           # V-38556
--- a/doc/source/developer-notes/V-38543.rst
+++ b/doc/source/developer-notes/V-38543.rst
@ -1,2 +1,13 @@
-Rules are added for auditd to log discretionary access control permission
-changes done with chmod.
+**Exception**
+
+The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
+syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments
+and while updating packages with apt. By default, these rules are disabled.
+
+These audit rules can be enabled by setting any of the following variables:
+
+.. code-block:: yaml
+
+    auditd_rules['DAC_chmod']: yes
+    auditd_rules['DAC_fchmod']: yes
+    auditd_rules['DAC_fchmodat']: yes
--- a/doc/source/developer-notes/V-38547.rst
+++ b/doc/source/developer-notes/V-38547.rst
@ -1,2 +0,0 @@
-Rules are added for auditd to log discretionary access control permission
-changes done with fchmod.
--- a/doc/source/developer-notes/V-38547.rst
+++ b/doc/source/developer-notes/V-38547.rst
@ -0,0 +1 @@
+V-38543.rst
--- a/doc/source/developer-notes/V-38550.rst
+++ b/doc/source/developer-notes/V-38550.rst
@ -1,3 +0,0 @@
-Audit rules are added in a task so that any events associated with the loading
-or unloading of a kernel module are logged.  The new audit rule will be
-loaded immediately with ``augenrules --load``.
--- a/doc/source/developer-notes/V-38550.rst
+++ b/doc/source/developer-notes/V-38550.rst
@ -0,0 +1 @@
+V-38543.rst