Watch Performance
Steve Grubb
sgrubb at redhat.com
Tue Apr 11 10:26:26 UTC 2006
On Monday 10 April 2006 23:51, Amy Griffis wrote:
> 1) what audit rules did you use?
I used the lspp rules to get the 1st 10, and the rest were against files
in /etc/test.
> 2) what system call(s) did you measure?
access("/usr/include", 0);
The watch rules were never triggered because I wanted to measure the overhead
where no audit events occur. The syscall exercises the file system without
doing any IO, which would complicate things, too.
-Steve
More information about the Linux-audit
mailing list