Re: Watch Performance

Hi, Based on finding an unnecessary function call to selinux_task_ctxid when evaluating syscall rules, I built a new kernel and re-ran the same tests. rules  seconds loss 0        47 0% 10      53 11% 25      68 43% 50      99 109% 75      132 178% 90      157 232% The 75 rule performance hit is now 178% instead of 184%. So there is some notable improvement in performance. For comparison, I also loaded the 90 rules config into RHEL4. There is only a 6% performance hit compared to no rules. I think the bulk of that comes from evaluating the 10 syscall rules rather than the file system audit code. -Steve