expected performance hit for logging all execve's?
Steve Grubb
sgrubb at redhat.com
Sat Jan 21 00:29:14 UTC 2012
On Friday, January 20, 2012 03:06:13 PM Peter Moody wrote:
> I'm trying to run some tests so I can find locally relevant numbers,
> but I was wondering if you had any idea what sort of performance hit
> I'd be incurring by logging every successful execve.
>
> To be sure, I consider this a bad idea and I'm actually looking to
> disuade people of it.
It is a bad idea. Think of shell scripting.You can get 100s of execve's for just
one command on a command line. You'll never find what you think you wanted. I
think we did some testing over 5 years ago. There was a micro-benchmark here:
http://people.redhat.com/sgrubb/files/lspp-perf.tar.gz
I think it was testing the access syscall. But you can substitute what you want.
I have not benchmarked the audit system in years.
-Steve
More information about the Linux-audit
mailing list