From: Amy Griffis <amy.griffis@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
Subject: Re: Watch Performance
Date: Mon, 10 Apr 2006 23:51:38 -0400 [thread overview]
Message-ID: <20060411035138.GD656@sage.flatmonk> (raw)
In-Reply-To: <200604081221.58080.sgrubb@redhat.com>
Steve,
In order for these numbers to be meaningful, a little more information
is needed:
1) what audit rules did you use?
2) what system call(s) did you measure?
Steve Grubb wrote: [Sat Apr 08 2006, 12:21:57PM EDT]
> Hello,
>
> Over the last day or two, I re-worked the user space audit code to be able to
> control the new file system audit subsystem. As I was doing the work, I
> became concerned about the performance impact since it appears to be using
> the syscall exit filter.
>
> The syscall exit filter (and entry filter) is expensive to use except in cases
> where you need to use it. This is because each rule in it must be examined
> during each syscall to see if the current syscall is of interest. The current
> lspp configuration has 10 syscall audit rules.
>
> I became curious what the measured impact would be with the current file
> system audit implementation. I decide to run the same performance test that I
> tested the audit system with a couple weeks ago when inode and IPC problems
> were noticed. I used the lspp.16 kernel with profile=2 boot param. The
> following table shows the results:
>
> rules seconds
> 0 49
> 10 56
> 25 75
> 50 115
> 75 143
> 90 185
3) how many operations were completed in N seconds?
>
>
> 0 rules had this for function usage:
>
> 1284 __d_lookup 4.7380
> 1170 __link_path_walk 0.3098
> 1065 avc_has_perm_noaudit 1.2144
> 706 _atomic_dec_and_lock 8.4048
> 612 do_path_lookup 0.8204
> 561 dput 1.2986
> 509 _raw_spin_lock 2.1477
>
> 10 rules had this:
>
> 1295 __d_lookup 4.7786
> 1089 audit_filter_syscall 6.3684
> 1081 __link_path_walk 0.2862
> 889 avc_has_perm_noaudit 1.0137
> 676 audit_getname 2.6000
> 658 do_path_lookup 0.8820
> 596 _atomic_dec_and_lock 7.0952
>
> 25 rules had this:
>
> 3193 audit_filter_rules 3.0009
> 2178 audit_filter_syscall 12.7368
> 1280 __d_lookup 4.7232
> 1131 __link_path_walk 0.2994
> 956 avc_has_perm_noaudit 1.0901
> 652 _atomic_dec_and_lock 7.7619
> 530 dput 1.2269
>
> 50 rules had this:
>
> 11213 audit_filter_rules 10.5385
> 4654 audit_filter_syscall 27.2164
> 4100 selinux_task_ctxid 141.3793
> 1212 __d_lookup 4.4723
> 1103 __link_path_walk 0.2920
> 1012 avc_has_perm_noaudit 1.1539
> 788 _atomic_dec_and_lock 9.3810
>
> 75 had this:
>
> 15351 audit_filter_rules 14.4276
> 6032 audit_filter_syscall 35.2749
> 2066 selinux_task_ctxid 71.2414
> 1237 __d_lookup 4.5646
> 1184 __link_path_walk 0.3135
> 1014 avc_has_perm_noaudit 1.1562
> 592 _atomic_dec_and_lock 7.0476
>
> and 90 rules had this:
>
> 18287 audit_filter_rules 17.1870
> 9173 audit_filter_syscall 53.6433
> 4346 selinux_task_ctxid 149.8621
> 1314 __link_path_walk 0.3479
> 1218 __d_lookup 4.4945
> 1070 avc_has_perm_noaudit 1.2201
> 682 _atomic_dec_and_lock 8.1190
>
>
> As you can see, the audit_filter_rules and audit_filter_syscall overwhelmed
> the profile quickly. It would not be unreasonable for a system to have 40
> watches. The lspp rules have 56 of them. With 10 syscall rules added, the
> performance of a correctly configured lspp machine will be similar to the 75
> rules test. This represents a 186% performance hit compared to no audit
> rules.
>
> I do not believe optimizing the audit_filter_rules function will solve the
> problem. I think the file system audit algorithm needs to be re-thought. It
> simply cannot penalize every syscall.
>
> There are several ways to solve the problem. Maybe what we need to do is use
> the watch list to store watches on and add a new field to the context. If a
> watch is triggered it sets the flag in the context. When syscall exit is
> done, it checks the flag and if set, does both the watch list and the exit
> list. Otherwise, it skips the watch list. I don't know if this is feasible,
> or a preferred solution, but we need to start looking at how to decouple the
> exit list and watches.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
next prev parent reply other threads:[~2006-04-11 3:51 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-08 16:21 Watch Performance Steve Grubb
2006-04-09 19:48 ` Steve Grubb
2006-04-11 13:12 ` Steve Grubb
2006-04-11 3:51 ` Amy Griffis [this message]
2006-04-11 10:26 ` Steve Grubb
2006-04-11 16:11 ` Amy Griffis
2006-04-11 21:01 ` Steve Grubb
2006-04-11 21:21 ` Linda Knippers
2006-04-12 21:15 ` Amy Griffis
2006-04-17 15:27 ` Timothy R. Chavez
2006-04-17 20:06 ` Klaus Weidner
2006-04-21 15:01 ` Amy Griffis
2006-04-21 15:13 ` Steve Grubb
2006-04-21 15:10 ` Linda Knippers
2006-04-21 16:07 ` Alexander Viro
2006-04-24 15:34 ` Amy Griffis
2006-05-10 15:32 ` Steve Grubb
2006-05-10 16:34 ` Alexander Viro
2006-05-10 19:23 ` Steve Grubb
2006-05-10 19:37 ` Alexander Viro
2006-05-10 19:51 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060411035138.GD656@sage.flatmonk \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=redhat-lspp@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.