--- "Timothy R. Chavez" <chavezt(a)gmail.com> wrote:
... Better to
do this filtering
in userspace via a daemon then in the kernel. We
should keep the
in-kernel audit subsystem as small and efficient as
possible.
Anything that can be delegated to userspace should
be delegated to
userspace.
For this scheme to work the kernel has to
generate all possible records and pass them
on for filtering. This is much less efficient
than having the kernel filter records that
are known to be uninteresting. Filtering
must be done at a place where sufficient
information is available to make the choice,
and that means it must be done in the kernel
or that all possible filtering criteria must
be passed on.
There is no existing U2X audit implementation
that does all the filtering in user space.
It is not possible to reliably deliver the
total audit volume from a busy 4cpu system
through a single daemon. Attempting to do so
will validated the notion that auditing
slows the system. A kernel based filter scheme,
believe it or not, is much more efficient
just on the basis of data copying than any
userland scheme can hope to be.
I understand the pain involved with putting a
big chuck of code into the kernel. In this case
the alternative is not viable.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com