Application audit through auditd
Burn Alting
burn at swtf.dyndns.org
Wed Jun 4 11:36:15 UTC 2014
Hi Peoples,
Has anyone had experience with using the audit libraries for application
level audit - i.e. your application log events through
audit_log_user_message() library calls?
In particular I am interested in your experiences where you have
applications generating a lot of audit records through this interface,
but at the same time, implementing, say the STIG rules along with execve
auditing. That is adding
-a exit,always -F arch=b32 -S execve -k cmds
-a exit,always -F arch=b64 -S execve -k cmds
to the stig.rules file found in either /usr/share/doc/audit-2.2 or the
contrib directory in the audit source.
Although I haven't done any testing yet, my supposition is that, on
systems that are doing a lot of execve's, then the use of the
audit_log_user_message() interface slows down the applications as they
are waiting on the netlink kernel queues.
Any comments before I start my investigations?
Regards
Burn
More information about the Linux-audit
mailing list