From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Watch Performance
Date: Sun, 9 Apr 2006 15:48:41 -0400
Message-ID: <200604091548.41324.sgrubb@redhat.com>
References: <200604081221.58080.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200604081221.58080.sgrubb@redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: redhat-lspp@redhat.com
List-Id: linux-audit@redhat.com

Hi,

Based on finding an unnecessary function call to selinux_task_ctxid when=20
evaluating syscall rules, I built a new kernel and re-ran the same tests.

rules =A0seconds    loss
0 =A0 =A0 =A0 =A047            0%
10 =A0 =A0 =A053            11%
25 =A0 =A0 =A068            43%
50 =A0 =A0 =A099            109%
75 =A0 =A0 =A0132          178%
90 =A0 =A0 =A0157          232%

The 75 rule performance hit is now 178% instead of 184%. So there is some=
=20
notable improvement in performance.=20

For comparison, I also loaded the 90 rules config into RHEL4. There is on=
ly a=20
6% performance hit compared to no rules. I think the bulk of that comes f=
rom=20
evaluating the 10 syscall rules rather than the file system audit code.

-Steve