Possible performance bug
Linda Knippers
linda.knippers at hp.com
Fri Sep 9 22:36:30 UTC 2005
Chris Wright wrote:
> * Steve Grubb (sgrubb at redhat.com) wrote:
>
>>So, what about re-enabling these for existing processes when audit_enabled
>>changes to 1 again? That's the part I was kinda stuck at. I don't think we
>>constantly want to set the thread info.
>
>
> fresh out of good ideas ;-)
>
> that's partly why i'm curious if that patch makes a difference. if it
> doesn't then we can go with current method. same issue for lsm, and the
> rule of thumb is to make sure you're enabled from bootup, otherwise you
> have to check every process either at load time or lazily at syscall
> entrance. doing it at load time is ugly and discouraged (requires
> walking tasklist), and lazy method undoes the benefits of the patch.
Would it be better to not allow auditing to be enabled after boot
then? I'm concerned about the case where auditing isn't started
at boot time but enabled later. There could be alot of processes
that won't be audited. If things can't be both dynamic and correct
then I vote for correct.
-- ljk
More information about the Linux-audit
mailing list