Has someone done some work related to the performance impact of enabling auditd on syscalls watching?

While obviously not extremely thorough a research group I'm involved in has looked at the performance impact of Audit though in this case specific to Android mobile devices on ARM. Check the section at the end of page 4. https://www.usenix.org/system/files/conference/tapp13/tapp13-final11.pdf Cheers, Nathaniel On Thu, Aug 29, 2013 at 4:24 PM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > On Thursday, August 29, 2013 12:59:33 PM zhu xiuming wrote: > > Has someone done some work related to the performance impact of enabling > > auditd on syscalls watching? > > Yes, long ago. > http://people.redhat.com/sgrubb/files/lspp-perf.tar.gz > > Short story is watches were undistinguishable from cache hit/misses and > syscall auditing gets more impact as more rules get added and based on how > complicated the rule is. CPU's have changed so much since I did the > benchmarking that I won't even hazard a guess as to what the performance > hit > is on current hardware with current kernel. > > -Steve > > -- > Linux-audit mailing list > Linux-audit(a)redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit