Disable chmod auditd rules
These rules can cause high load during periods of large changes on a system. Closes-bug: 1536325 Change-Id: Ic088586c3059fd0dbef06a38f2478c14e7f88702
This commit is contained in:
Major Hayden
parent
62e1600993
commit
83cf2701eb
|
|
@ -55,11 +55,11 @@ auditd_rules:
|
|||
clock_settime: yes # V-38527
|
||||
clock_settimeofday: yes # V-38522
|
||||
clock_stime: yes # V-38525
|
||||
DAC_chmod: yes # V-38543
|
||||
DAC_chmod: no # V-38543
|
||||
DAC_chown: yes # V-38545
|
||||
DAC_lchown: yes # V-38558
|
||||
DAC_fchmod: yes # V-38547
|
||||
DAC_fchmodat: yes # V-38550
|
||||
DAC_fchmod: no # V-38547
|
||||
DAC_fchmodat: no # V-38550
|
||||
DAC_fchown: yes # V-38552
|
||||
DAC_fchownat: yes # V-38554
|
||||
DAC_fremovexattr: yes # V-38556
|
||||
|
|
|
|||
|
|
@ -1,2 +1,13 @@
|
|||
Rules are added for auditd to log discretionary access control permission
|
||||
changes done with chmod.
|
||||
**Exception**
|
||||
|
||||
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
|
||||
syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments
|
||||
and while updating packages with apt. By default, these rules are disabled.
|
||||
|
||||
These audit rules can be enabled by setting any of the following variables:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
auditd_rules['DAC_chmod']: yes
|
||||
auditd_rules['DAC_fchmod']: yes
|
||||
auditd_rules['DAC_fchmodat']: yes
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
Rules are added for auditd to log discretionary access control permission
|
||||
changes done with fchmod.
|
||||
|
|
@ -0,0 +1 @@
|
|||
V-38543.rst
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
Audit rules are added in a task so that any events associated with the loading
|
||||
or unloading of a kernel module are logged. The new audit rule will be
|
||||
loaded immediately with ``augenrules --load``.
|
||||
|
|
@ -0,0 +1 @@
|
|||
V-38543.rst
|
||||
Loading…
Reference in New Issue