[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: announce: readahead-1.4



On Thu, Mar 01, 2007 at 02:03:41PM -0800, Steve G wrote:
> >  >  The code is not tested with FC7, because libauparse (from
> >  >  audit-libs-devel) is broken in FC7 now.
> 
> Right, audit 1.5 should be out soon and has the hidden variable problem fixed. If
> you link statically, I don't think there is a problem. Never-the-less 1.5 will be
> out soon.

 Cool.

> >I don't have any numbers (yet), but I expect that audit rules for all
> > open(), stat(), ... have a negative performance impact for kernel.
> 
> Yes, they do have an impact. But depending on what's needed, they can probably be
> combined to 1 rule.

 It's one rule:

	rc |= audit_rule_syscallbyname_data(audit_rule, "open");
	rc |= audit_rule_syscallbyname_data(audit_rule, "creat");
	rc |= audit_rule_syscallbyname_data(audit_rule, "truncate");
	rc |= audit_rule_syscallbyname_data(audit_rule, "execve");
	rc |= audit_rule_syscallbyname_data(audit_rule, "sendfile");

    if (rc < 0)
        goto err;

	rc = audit_add_rule_data(rac->fd, audit_rule,
                    AUDIT_FILTER_ENTRY, AUDIT_ALWAYS);


 I'll try to check it and prepare some numbers. Maybe it's really so
 fast. No clue now.

> > I think for FC7 it's fine keep it for advanced uses only. I hope we will
> > found a way how integrate the collector to distro.
> 
> Actually, I think we could probably fix this too, but may need some time to
> address a couple kernel problems that this would impose. We might want to change
> the audit rule evaluation strategy to do all rules rather than first match. This
> is so that the rules for boot monitoring won't interfere with rules for security
> monitoring. There might be a few other tweaks, too.

 Sounds good. It's nothing urgent.

    Karel

-- 
 Karel Zak  <kzak redhat com>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]