From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Watch Performance Date: Tue, 11 Apr 2006 17:01:23 -0400 Message-ID: <200604111701.23649.sgrubb@redhat.com> References: <200604081221.58080.sgrubb@redhat.com> <200604110626.26843.sgrubb@redhat.com> <20060411161141.GA16506@zk3.dec.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20060411161141.GA16506@zk3.dec.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: redhat-lspp@redhat.com List-Id: linux-audit@redhat.com On Tuesday 11 April 2006 12:11, Amy Griffis wrote: > -a exit,always -S chmod -S fchmod -S chown -S fchown -S lchown > -S creat -S open -S truncate -S ftruncate -S mkdir -S rmdir -S unlink > -S rename -S link -S symlink -F watch=/etc/sysconfig/console > > Now you don't have any rules for access(), so using it as the test > case is much more interesting. OK, I re-worked auditctl to use these syscalls instead of "all". I then re-ran the tests on the same kernel as I was testing on since lspp.17 has slab debug stuff turned on again. rules seconds loss 0 50 0% 10 52 4% 25 56 12% 50 69 38% 75 81 62% 90 87 74% The 75 rule performance hit is now 62%. So there is some improvement in performance. RHEL4 has a 6% hit for 90 rules. We've narrowed the difference, but I don't consider this solved. I also don't like the idea of handling this by all those syscalls or using "all" because user space tools could get out of sync with the kernel. On any kernel upgrade, there could be a new syscall that allows file system access. The user space tools wouldn't know about it and wouldn't provide automatic coverage. -Steve