Re: max number of rules?
On Monday, August 27, 2012 11:02:24 AM Peter Moody wrote:
Does anyone know the number of audit rules that can be installed on
a
system before having to traverse the list of rules on every syscall
starts to take a noticeable amount of time? I'm assuming no rules that
generate excessive logs, so nothing like '-a exit,always -S execve' or
'-a exit,always -S open'.
We haven't done any official benchmarking in a long time. The way the rules are
written very much affects performance, though.
-Steve