Linux audit performance impact

[Viswanath, Logeswari P (MCOU OSTL)]

> -----Original Message-----
> From: linux-audit-bounces at redhat.com [mailto:linux-audit-
> bounces at redhat.com] On Behalf Of Paul Moore
> Sent: Saturday, February 21, 2015 2:52 AM
> To: Casey Schaufler
> Cc: Richard Guy Briggs; linux-audit at redhat.com
> Subject: Re: Linux audit performance impact
> 
> Yep.  However, just so we're clear, what I'm proposing is just a change in the
> kernel API and record format, ultimately the on disk format will be
> dependent on the audit userspace.  The good news is that if we can move
> away from this fixed string format it opens the door for different log formats;
> you could stick with the existing goofy strings or switch to any other format
> you like, you just have to write the daemon/tools.
> 
> I may end up writing some dummy tools just as part of the kernel
> development process, and I might even maintain them as a simple example
> of an audit userspace.  However, my hope is that Steve will update his audit
> userspace to take advantage of the new API when it is ready.
> 
>
> My main goal is to try and create a sane API/record-format for the kernel
> that is maintainable over time and feature creep.  My secondary goal is to
> push as much processing out of the kernel as possible, both for performance
> and flexibility reasons (see my main goal).  A binary record format based
> around netlink attributes is likely the path of least resistance for these goals.
> 
> Well, good news, you're in the right place.  My patches will be posted here
> and all are welcome, and encouraged, to provide their comments and/or
> patches.

We believe this idea of "handing over the unformatted/binary audit record to audit user space" 
gives flexibility to the audit user space to decide on how to handle it and brings
down the overhead that it causes to the system services.

We are also thinking to contribute to this change of linux audit implementation 
with the experience of handling auditing on HP-UX.

Regards,
Logeswari.