Re: Linux audit performance impact
On Fri, Feb 20, 2015 at 1:37 PM, Ed Christiansen MS <edwardc(a)ll.mit.edu> wrote:
As a guy who administers Irix today I can say the auditing on Irix
is
extensive, but I'd hesitate to reference it in this context because
the satd does NOT give you the option to choose success or failure
audits. You get both and it fills your disk fairly quickly. I've
had to disable it during periods of high activity because it will
halt your system (also not configurable) if it runs out of space. So,
maybe it didn't require much in the way of structure, but it left an awful
lot to be desire in the implementation.
I'm only planning a change in the format, not the content of the audit
records so you'll still have success/fail indicators like you do now.
--
paul moore
www.paul-moore.com