While obviously not extremely thorough a research group I'm involved in has looked at the performance impact of Audit though in this case specific to Android mobile devices on ARM. Check the section at the end of page 4.

https://www.usenix.org/system/files/conference/tapp13/tapp13-final11.pdf

Cheers,
Nathaniel

On Thu, Aug 29, 2013 at 4:24 PM, Steve Grubb <sgrubb@redhat.com> wrote:

On Thursday, August 29, 2013 12:59:33 PM zhu xiuming wrote:
> Has someone done some work related to the performance impact of enabling
> auditd on syscalls watching?

Yes, long ago.
http://people.redhat.com/sgrubb/files/lspp-perf.tar.gz

Short story is watches were undistinguishable from cache hit/misses and
syscall auditing gets more impact as more rules get added and based on how
complicated the rule is. CPU's have changed so much since I did the
benchmarking that I won't even hazard a guess as to what the performance hit
is on current hardware with current kernel.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit