max number of rules?
Steve Grubb
sgrubb at redhat.com
Mon Aug 27 18:45:39 UTC 2012
On Monday, August 27, 2012 11:02:24 AM Peter Moody wrote:
> Does anyone know the number of audit rules that can be installed on a
> system before having to traverse the list of rules on every syscall
> starts to take a noticeable amount of time? I'm assuming no rules that
> generate excessive logs, so nothing like '-a exit,always -S execve' or
> '-a exit,always -S open'.
We haven't done any official benchmarking in a long time. The way the rules are
written very much affects performance, though.
-Steve
More information about the Linux-audit
mailing list