expected performance hit for logging all execve's?

expected performance hit for logging all execve's?

[Peter Moody]

I'm trying to run some tests so I can find locally relevant numbers,
but I was wondering if you had any idea what sort of performance hit
I'd be incurring by logging every successful execve.

To be sure, I consider this a bad idea and I'm actually looking to
disuade people of it.

Cheers,
peter

-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: expected performance hit for logging all execve's?

[Steve Grubb]

On Friday, January 20, 2012 03:06:13 PM Peter Moody wrote:
> I'm trying to run some tests so I can find locally relevant numbers,
> but I was wondering if you had any idea what sort of performance hit
> I'd be incurring by logging every successful execve.
> 
> To be sure, I consider this a bad idea and I'm actually looking to
> disuade people of it.

It is a bad idea. Think of shell scripting.You can get 100s of execve's for just 
one command on a command line. You'll never find what you think you wanted. I 
think we did some testing over 5 years ago. There was a micro-benchmark here:

http://people.redhat.com/sgrubb/files/lspp-perf.tar.gz

I think it was testing the access syscall. But you can substitute what you want. 
I have not benchmarked the audit system in years.

-Steve