Watch Performance

Tue Apr 11 21:01:23 UTC 2006

On Tuesday 11 April 2006 12:11, Amy Griffis wrote:
> -a exit,always -S chmod -S fchmod -S chown -S fchown -S lchown
> -S creat -S open -S truncate -S ftruncate -S mkdir -S rmdir -S unlink
> -S rename -S link -S symlink -F watch=/etc/sysconfig/console
>
> Now you don't have any rules for access(), so using it as the test
> case is much more interesting.

OK, I re-worked auditctl to use these syscalls instead of "all". I then re-ran 
the tests on the same kernel as I was testing on since lspp.17 has slab debug 
stuff turned on again.

rules  seconds    loss
0        50            0%
10      52            4%
25      56            12%
50      69            38%
75      81            62%
90      87            74%

The 75 rule performance hit is now 62%. So there is some improvement in 
performance. RHEL4 has a 6% hit for 90 rules. We've narrowed the difference, 
but I don't consider this solved.

I also don't like the idea of handling this by all those syscalls or using 
"all" because user space tools could get out of sync with the kernel. On any 
kernel upgrade, there could be a new syscall that allows file system access. 
The user space tools wouldn't know about it and wouldn't provide automatic 
coverage.

-Steve