Benchmarking the performance impact of auditd
Steve Grubb
sgrubb at redhat.com
Thu Aug 29 20:24:34 UTC 2013
On Thursday, August 29, 2013 12:59:33 PM zhu xiuming wrote:
> Has someone done some work related to the performance impact of enabling
> auditd on syscalls watching?
Yes, long ago.
http://people.redhat.com/sgrubb/files/lspp-perf.tar.gz
Short story is watches were undistinguishable from cache hit/misses and
syscall auditing gets more impact as more rules get added and based on how
complicated the rule is. CPU's have changed so much since I did the
benchmarking that I won't even hazard a guess as to what the performance hit
is on current hardware with current kernel.
-Steve
More information about the Linux-audit
mailing list