performance questions

Steve Grubb sgrubb at redhat.com
Fri Sep 30 14:35:24 UTC 2011


On Friday, September 30, 2011 10:20:43 AM LC Bruzenak wrote:
> On Fri, 2011-09-30 at 09:20 -0400, Steve Grubb wrote:
> > On Thursday, September 29, 2011 11:33:09 AM LC Bruzenak wrote:
> ...
> 
> > You might try this:
> ...
> 
> > -	_get_exename(exename, sizeof(exename));
> > +	if (exename[0] == 0)
> > +		_get_exename(exename, sizeof(exename));
> > 
> >  	if (tty == NULL)
> >  	
> >  		tty = _get_tty(ttyname, TTY_PATH);
> >  	
> >  	else if (*tty == 0)
> 
> Well, we could (and then it would work like the others) but we really
> want to store the exename I think. Isn't that what becomes
> "exe=<EXEPATH>" in the event?

It does. You can strace it. :)

 
> > We can probably use the return value of fprintf() +1 (for the NULL byte)
> > and just keep the running total in memory.
> 
> Oh, right. That would be more precise. Good idea!
> 
> Since we're looking, what about the fstatfs in check_disk_space? Any
> thoughts on that one?

Probably can't get rid of that one. Many times people don't separate the audit 
directory to its own partition. So, we wind up sharing space with /var/log/messages 
which anyone can write to. Even if we had it exclusively, sometimes there is a cron 
job that might come and grab files for archiving in which case an internal count would 
be off.

-Steve




More information about the Linux-audit mailing list