Re: Watch Performance
On Tuesday 11 April 2006 12:11, Amy Griffis wrote:
-a exit,always -S chmod -S fchmod -S chown -S fchown -S lchown
-S creat -S open -S truncate -S ftruncate -S mkdir -S rmdir -S unlink
-S rename -S link -S symlink -F watch=/etc/sysconfig/console
Now you don't have any rules for access(), so using it as the test
case is much more interesting.
OK, I re-worked auditctl to use these syscalls instead of "all". I then re-ran
the tests on the same kernel as I was testing on since lspp.17 has slab debug
stuff turned on again.
rules seconds loss
0 50 0%
10 52 4%
25 56 12%
50 69 38%
75 81 62%
90 87 74%
The 75 rule performance hit is now 62%. So there is some improvement in
performance. RHEL4 has a 6% hit for 90 rules. We've narrowed the difference,
but I don't consider this solved.
I also don't like the idea of handling this by all those syscalls or using
"all" because user space tools could get out of sync with the kernel. On any
kernel upgrade, there could be a new syscall that allows file system access.
The user space tools wouldn't know about it and wouldn't provide automatic
coverage.
-Steve