Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a risk that a malicious container could fill the log if this is enabled by default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The log message always has a limited line length accordingly to: https://github.com/torvalds/linux/blob/23d04328444a8fa0ca060c5e532220dac8e8bc26/kernel/auditsc.c#L2946-L2970
The kernel has an audit rate limit as well as backlog limit. Auditd has a file rotation in place as well.
In theory users can still specify
SCMP_ACT_LOG
as default action, which would log all syscalls and not exclude the allowed ones.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The log filter level may have a negative performance impact, I'll do some testing around this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Benchmark results
Environment
Test pod
Test
Results
sendfile
1x per request)close
2x per request){ "defaultAction": "SCMP_ACT_LOG" }
It's interesting to see the impact of logging, which is executed in the kernel there:
https://github.com/torvalds/linux/blob/7e57714cd0ad2d5bb90e50b5096a0e671dec1ef3/kernel/auditsc.c#L2946-L2970
My local machine spikes audit CPU usage during the test, for example with
SCMP_ACT_LOG
:Audit settings: