From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: performance questions Date: Fri, 30 Sep 2011 10:35:24 -0400 Message-ID: <201109301035.24672.sgrubb@redhat.com> References: <1317310389.2959.93.camel@lcb> <201109300920.01318.sgrubb@redhat.com> <1317392443.2038.19.camel@lcb> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1317392443.2038.19.camel@lcb> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: LC Bruzenak Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, September 30, 2011 10:20:43 AM LC Bruzenak wrote: > On Fri, 2011-09-30 at 09:20 -0400, Steve Grubb wrote: > > On Thursday, September 29, 2011 11:33:09 AM LC Bruzenak wrote: > ... > > > You might try this: > ... > > > - _get_exename(exename, sizeof(exename)); > > + if (exename[0] == 0) > > + _get_exename(exename, sizeof(exename)); > > > > if (tty == NULL) > > > > tty = _get_tty(ttyname, TTY_PATH); > > > > else if (*tty == 0) > > Well, we could (and then it would work like the others) but we really > want to store the exename I think. Isn't that what becomes > "exe=" in the event? It does. You can strace it. :) > > We can probably use the return value of fprintf() +1 (for the NULL byte) > > and just keep the running total in memory. > > Oh, right. That would be more precise. Good idea! > > Since we're looking, what about the fstatfs in check_disk_space? Any > thoughts on that one? Probably can't get rid of that one. Many times people don't separate the audit directory to its own partition. So, we wind up sharing space with /var/log/messages which anyone can write to. Even if we had it exclusively, sometimes there is a cron job that might come and grab files for archiving in which case an internal count would be off. -Steve