Hello List,
 
I work on Ubuntu 16.10 kernel 4.8 with audit v2.7.7, and we wrote plugin who get its input from audispd
 
This plugin process audit messages, mostly syscalls.
 
In out test we saw that malloc of auditd tooks ~5% among 9% of total CPU time audit consumes.
 
 
I wonder, whether libauparse indeed need to build dynamic lists, ex
 
auparse/nvlist.c:       nvnode* newnode = malloc(sizeof(nvnode));
 
Most audit message types have strict structure, the only name of exec and comm fields have variable length.
 
And besides when I do field search, I actually do not need field name, I can pass some ENUM.
 
 
I even think we can live without files or path names, inode +filesystem id will be enough to have in log
 
This can be configurable option and we can add to ausearch /aureport the task to translate inode to file name.
 
What do you think?