-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-
bounces(a)redhat.com] On Behalf Of Paul Moore
Sent: Saturday, February 21, 2015 2:52 AM
To: Casey Schaufler
Cc: Richard Guy Briggs; linux-audit(a)redhat.com
Subject: Re: Linux audit performance impact
Yep. However, just so we're clear, what I'm proposing is just a change in the
kernel API and record format, ultimately the on disk format will be
dependent on the audit userspace. The good news is that if we can move
away from this fixed string format it opens the door for different log formats;
you could stick with the existing goofy strings or switch to any other format
you like, you just have to write the daemon/tools.
I may end up writing some dummy tools just as part of the kernel
development process, and I might even maintain them as a simple example
of an audit userspace. However, my hope is that Steve will update his audit
userspace to take advantage of the new API when it is ready.
My main goal is to try and create a sane API/record-format for the kernel
that is maintainable over time and feature creep. My secondary goal is to
push as much processing out of the kernel as possible, both for performance
and flexibility reasons (see my main goal). A binary record format based
around netlink attributes is likely the path of least resistance for these goals.
Well, good news, you're in the right place. My patches will be posted here
and all are welcome, and encouraged, to provide their comments and/or
patches.
We believe this idea of "handing over the unformatted/binary audit record to audit
user space"
gives flexibility to the audit user space to decide on how to handle it and brings
down the overhead that it causes to the system services.
We are also thinking to contribute to this change of linux audit implementation
with the experience of handling auditing on HP-UX.
Regards,
Logeswari.