>> I think we have to start thinking about this. People are
comparing system
>> performance with audit disabled and enabled and not compiled in at all. The
>> hit is significant. We need to see what can be done to make it better.
Absolutely agreed. Profiles would be quite helpful here.
We've got some people looking at some performance issues that we're
seeing, most clearly on ia64 but also on other platforms, so I've sent
them this thread for their input, and perhaps we can get some results
from them.
As Steve mentioned, we're also seeing performance differences with
audit on, audit once on but now off, and audit never on. In all cases
is the same kernel. The difference is whether the auditd has ever
been started.
It looks like when disabling auditing with auditctl, not everything is
disabled. That seems like a bug but it also means that you have to be
very careful when running tests to make sure you're measuring what you
think you're measuring. That's true with performance work in general
and in this case it means that you can't just turn audit on, run a test,
turn it off, run a test and think you're looking at just the performance
impact of audit being enabled.
-- ljk