Re: What does each audit record field mean?

Thanks a lot :-) I still have several questions: 1. My audit rule is auditctl -a exit,always -S open -F success=0, why in the audit record, the success field is no. And if I use the opposite rule auditctl -a exit,always -S open -F success!=0, the records' "success" field is yes? 2. In some audit records, the "success" is yes, but with a non-zero exit code. When does this situation occur(A syscall successes with a non-zero exit code)? 3.Have anyone ever tested the system performance impact when the kernel audit functionality is turned on? I've tested with the following audit rules auditctl -a exit,always -S read -F success=0 auditctl -a exit,always -S readv -F success=0 auditctl -a exit,always -S write -F success=0 auditctl -a exit,always -S writev -F success=0 auditctl -a exit,always -S fork -F success=0 auditctl -a exit,always -S clone -F success=0 auditctl -a exit,always -S truncate -F success=0 auditctl -a exit,always -S ftruncate -F success=0 auditctl -a exit,always -S link -F success=0 auditctl -a exit,always -S unlink -F success=0 auditctl -a exit,always -S symlink -F success=0 auditctl -a exit,always -S chown -F success=0 auditctl -a exit,always -S chmod -F success=0 auditctl -a exit,always -S fchown -F success=0 auditctl -a exit,always -S fchmod -F success=0 auditctl -a exit,always -S kill -F success=0 auditctl -a exit,always -S mmap -F success=0 auditctl -a exit,always -S signal -F success=0 I've tested the source code compile benchmark with the kscope1.6.0(a source reading toll). My platform is Fedora 8, 2.6.23 kernel version, and Intel Pentium(R) processor1.7GHZ, 512M main memory. Without any audit, the kscope compile time is as follows 0m32s total time 0m14s user space time 0m3s sys space time With the above audit rule set, the kscope source compile time is as follows 1m4s total time 0m14s user space time 0m15s sys space time It turned out that with some of the audit rule set, the kscope source compile process takes double time. I wonder why it has so heavy impact on the system's performance. I also read some papers(<<Automatic high-performance reconstruction and recovery>>) on other audit systems. The system's impact is relatively low,about 6%~8% with all syscall information audited.